A critical unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2026-39808, has been publicly disclosed in Fortinet’s FortiSandbox platform, carrying a CVSS score of 9.8 and allowing attackers to execute arbitrary OS commands as root without credentials.
A working proof-of-concept (PoC) exploit is now freely available on GitHub, drastically lowering the barrier to exploitation for threat actors worldwide.
CVE-2026-39808 is an OS command injection vulnerability rooted in CWE-78 (Improper Neutralization of Special Elements Used in an OS Command).
CVE-2026-39808: FortiSandbox RCE Flaw
It resides in the /fortisandbox/job-detail/tracer-behavior API endpoint of Fortinet FortiSandbox, where the jid parameter is passed directly into a system command without any input sanitization.
The vulnerability was discovered by security researchers in November 2025 and publicly disclosed in April 2026 following Fortinet’s patch release.
The flaw affects FortiSandbox versions 4.4.0 through 4.4.8, and the patch is available in version 4.4.9 and above. Fortinet published the official advisory, FG-IR-25-325.
The root cause is devastatingly simple the jid parameter in the tracer-behavior endpoint is never sanitized before being passed to an underlying system call.
An attacker can inject a pipe character (|) to break out of the intended command context and execute any arbitrary command as the root user:
GET /fortisandbox/job-detail/tracer-behavior?jid=|(id > /web/ng/out.txt)| HTTP/1.1The injected command writes its output to /web/ng/out.txt, which is publicly accessible at /ng/out.txt on the web server, creating a read-back channel for blind command injection without requiring any login session. This means a basic curl command is all an attacker needs to confirm full root-level compromise of the appliance.
PoC Exploit Publicly Released
Security researchers published a fully functional Python-based PoC scanner on GitHub that requires only Python 3.7+ and no external dependencies.
The tool implements a 5-step verification process to eliminate false positives: it fingerprints the FortiSandbox instance, confirms that the vulnerable endpoint exists, injects a unique canary string, reads the output file to validate the canary in plain text, and finally executes the user-specified command.
The scanner also supports pipeline integration with tools like subfinder, httpx, and Shodan for mass-scanning operations. With a working exploit in the wild, the Center for Cybersecurity Belgium has already issued a formal advisory urging organizations to patch with the highest priority.
Scanning activity for vulnerable FortiSandbox instances is actively underway, and the public availability of Shodan dorks (title:"FortiSandbox", title:"FortiSandbox - Please login") makes internet-exposed assets trivially discoverable.
FortiSandbox is deployed in enterprise environments as a core threat detection and zero-day malware analysis platform, meaning a compromise of this device gives attackers privileged insight into an organization’s most sensitive security telemetry.
The combination of zero authentication, root-level privilege, and network-accessible attack vector makes this one of the most severe Fortinet vulnerabilities disclosed in 2026. The exploitation was confirmed, and the vulnerability has landed on CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Additionally, CVE-2026-39808 is part of a twin vulnerability disclosure alongside CVE-2026-39813 (CVSS 9.1), an authentication bypass via path traversal in the JRPC API affecting FortiSandbox versions up to 5.0.5. Organizations running FortiSandbox 5.0. x must upgrade to 5.0.6 to remediate CVE-2026-39813.
Remediation
Organizations must act now to reduce their attack surface:
- Upgrade immediately to FortiSandbox 4.4.9 (or 5.0.6 for 5.x deployments)
- Restrict network access to the FortiSandbox management interface using firewall rules
- Block external access to
/fortisandbox/job-detail/API endpoints at the perimeter - Monitor logs for suspicious
jidparameter values containing pipe characters (|) - Audit Shodan/FOFA exposure using the public dorks to identify any internet-facing instances
- Rotate credentials and audit root-level activity on any FortiSandbox appliances that may have been exposed before patching.
FAQ
Q1: What versions of FortiSandbox are affected by CVE-2026-39808?
FortiSandbox versions 4.4.0 through 4.4.8 are confirmed vulnerable; upgrade to 4.4.9 or above immediately.
Q2: Does exploiting CVE-2026-39808 require authentication?
No, the vulnerability is completely unauthenticated, meaning any network-accessible attacker can achieve root-level RCE with a single HTTP request.
Q3: Is a public exploit available for CVE-2026-39808?
Yes, a fully functional Python PoC scanner has been released on GitHub by researcher ynsmroztas, making exploitation trivially accessible.
Q4: Has CVE-2026-39808 been actively exploited in the wild?
Yes, active scanning is confirmed, and CISA has added this CVE to its Known Exploited Vulnerabilities (KEV) catalog, indicating real-world exploitation.
Site: https://thecybrdef.com
About the Author
