Fortinet has announced important security updates to address two critical vulnerabilities in its FortiSandbox product, identified as CVE-2026-39813 and CVE-2026-39808. These vulnerabilities pose serious risks, as they could be exploited by unauthenticated attackers to bypass authentication measures and execute unauthorized commands on vulnerable systems.

The vulnerabilities can be triggered through specially crafted HTTP requests, making unpatched FortiSandbox deployments particularly vulnerable. FortiSandbox is Fortinet’s advanced security solution designed to detect and analyze threats by executing suspicious files and URLs in a controlled environment before delivering verdicts on their safety.

Understanding FortiSandbox

FortiSandbox plays a critical role in the Fortinet Security Fabric, which includes various other security products such as firewalls, email security appliances, endpoint security clients, Security Information and Event Management (SIEM), and Security Orchestration, Automation, and Response (SOAR) solutions. The verdicts provided by FortiSandbox are crucial for these products to enforce blocking decisions, trigger alerts, and execute automated response playbooks.

Details of the Vulnerabilities

The first vulnerability, CVE-2026-39813, is categorized as a path traversal flaw within FortiSandbox's JRPC API. This vulnerability impacts systems running FortiSandbox versions 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8, allowing attackers to bypass authentication.

The second vulnerability, CVE-2026-39808, affects an unspecified API within FortiSandbox versions 4.4.0 through 4.4.8. It enables unauthorized code or command execution due to improper handling of special elements used in operating system commands.

Both vulnerabilities have been responsibly disclosed to Fortinet by researchers. CVE-2026-39813 was reported by a member of Fortinet's own Product Security Incident Response Team (PSIRT), while CVE-2026-39808 was identified by a researcher from KPMG Spain.

As of now, there are no indications that these vulnerabilities have been exploited by malicious actors. However, a compromised FortiSandbox instance could potentially be used to misrepresent malicious files as benign, thereby misleading dependent Fortinet products or serving as an entry point for further attacks within enterprise networks.

In addition to addressing these critical vulnerabilities, Fortinet's latest security update also resolves three medium-severity vulnerabilities that were discovered internally. These include two vulnerabilities (CVE-2025-61886 and CVE-2026-39812) that could allow for cross-site scripting attacks, and one vulnerability (CVE-2026-25691) that may enable a privileged attacker with super-admin access to delete arbitrary directories via crafted HTTP requests.

Organizations using FortiSandbox are strongly advised to apply the security updates promptly to mitigate potential risks. Fortinet continues to emphasize the importance of maintaining robust cybersecurity practices to safeguard against evolving threats.

Stay informed on the latest cybersecurity threats and vulnerabilities by subscribing to our breaking news email alerts.

Source: Help Net Security News