Watch out for more Fortinet vulns! Two critical bugs in Fortinet’s sandbox could allow unauthenticated attackers to bypass authentication or execute unauthorized code on vulnerable systems.
Luckily, the security vendor has issued fixes – so patch now – and so far, there are no reports of active exploitation. But considering that the vulnerabilities are now public, both can be exploited without any authentication, and that attackers do love abusing Fortinet products, that is likely to change soon.
CVE-2026-39808 is an OS command injection flaw in FortiSandbox that allows unauthenticated attackers to execute unauthorized code or commands via HTTP requests. It received a critical, 9.1 CVSS rating, and it affects versions 4.4.0 through 4.4.8. Upgrading to FortiSandbox 4.4.9 or above patches the hole.
The second flaw, CVE-2026-39813, is a path traversal bug in the FortiSandbox JRPC API that allows an authentication bypass using specially crafted HTTP requests. It also earned a 9.1 CVSS rating and affects FortiSandbox 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5. Patch to 4.4.9+ or 5.0.6+, depending on the branch, to fix the flaw. Fortinet security analyst Loic Pantano found this one.
A security researcher named Rishi has published scanners for both (CVE-2026-39808 and CVE-2026-39813), so we’d suggest using these to check and see if you are running any vulnerable instances.
These security updates arrive about a week after Fortinet released an emergency patch for CVE-2026-35616, a critical FortiClient Enterprise Management Server (EMS) bug believed to be under attack since at least March 31.
On April 6, the US Cybersecurity and Infrastructure Security Agency (CISA) added the FortiClient EMS bug to its Known Exploited Vulnerabilities (KEV) Catalog, and set a four-day deadline for all federal agencies to apply the patch. ®