FORTINET has warned that a critical authentication bypass in FortiSandbox, tracked as CVE-2026-39813, is being exploited in the wild. The flaw lets attackers send specially crafted HTTP requests to the appliance’s API or web interface and run arbitrary commands without needing valid credentials. Systems with management ports exposed to the internet are at greatest risk. A patch addressing the issue has been released and carries a CVSS score of 9.1.
The vulnerability resides in how the FortiSandbox service validates incoming requests, allowing an unauthenticated user to inject shell metacharacters that are then executed with the privileges of the sandbox process. A related flaw, CVE-2026-39808, also permits authentication bypass through a different endpoint, while CVE-2026-25089 enables direct OS command injection via the same vector. All three issues affect FortiSandbox versions 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8, as well as certain cloud and PaaS offerings; version 5.2 remains unaffected. Exploitation requires only network reachability to the management interface and no prior authentication.
Security researchers at Defused observed exploitation attempts against all three CVEs within days of the public disclosure, with honeypots logging numerous POST requests containing the characteristic payloads. While no specific threat actor has been linked to the activity, the volume and timing suggest opportunistic scanning rather than a targeted campaign. The activity coincides with a broader wave of Fortinet device compromises reported under the FortiBleed label, which saw tens of thousands of firewalls probed for weak credentials. Nonetheless, the FortiSandbox bugs themselves have been used to gain footholds inside segmented networks.
Fortinet’s advisory FG‑IR‑26‑112 outlines the affected versions and provides upgrade paths, advising administrators of the 5.0 branch to move to 5.0.6 or later and those on the 4.4 branch to adopt 4.4.9 or higher. The vendor notes that the cloud‑based instances are patched automatically, but on‑premises appliances require manual intervention. Applying the update removes the unsafe request handling and restores proper validation of user input.
Defenders should first verify whether any FortiSandbox instances are reachable from untrusted networks and, if possible, move management access to a dedicated VLAN or enforce strict firewall rules limiting source addresses. Next, apply the latest firmware from the Fortinet support site as soon as schedules allow, prioritising devices that face the internet. After patching, review web‑server and API logs for unexpected POST parameters or unusual command strings, and consider enabling multi‑factor authentication for administrative accounts where supported.
Staying current with Fortinet’s PSIRT notifications and subscribing to vulnerability feeds will help ensure that similar issues are caught before they can be leveraged. Regularly scanning external assets for exposed management interfaces and maintaining an inventory of version numbers reduces the window of opportunity for attackers. By combining prompt patching with network hygiene, organisations can mitigate the risk posed by CVE-2026-39813 and its companions.