Patch these critical Fortinet sandbox bugs that let attackers bypass login, run commands over HTTP

Two critical bugs in Fortinet's FortiSandbox could let unauthenticated attackers do nasty things: bypass authentication and run OS commands via HTTP. Fortinet has released fixes, so stop reading and patch — pronto. It has been reported that, so far, there are no confirmed cases of active exploitation, but once proof-of-concept code and scanners are public, trouble tends to follow fast.

What’s affected and how bad is it?

CVE-2026-39808 is an OS command injection flaw in FortiSandbox (4.4.0–4.4.8) that reportedly allows attackers to execute arbitrary commands via crafted HTTP requests. CVE-2026-39813 is a path traversal issue in the FortiSandbox JRPC API that can be used to bypass authentication; it affects 4.4.0–4.4.8 and 5.0.0–5.0.5. Both carry a 9.1 CVSS score — critical. Upgrade paths: move to FortiSandbox 4.4.9+ or 5.0.6+, depending on your branch. The latter bug was found by Fortinet analyst Loic Pantano; it has been reported that researcher “Rishi” published scanners for both CVEs to help admins find vulnerable instances.

Why care? These are unauthenticated, remotely reachable flaws. That’s the worst kind: no credentials needed, and weaponization is now a much smaller hurdle. Combine that with the recent FortiClient EMS zero-day drama and a CISA KEV listing earlier this month, and you have a pattern: Fortinet products are high-value targets. Want to wait and hope you’re spared? That’s gambling with your network.

What to do now

Install Fortinet’s patches immediately — 4.4.9+ or 5.0.6+ as appropriate. Use the published scanners to inventory deployments, tighten access to management interfaces, monitor logs for odd HTTP requests, and follow Fortinet security advisories. Don’t let this linger on your to-do list. Patch, verify, and breathe a little easier.

Sources: The Register