CRITICAL: Three FortiSandbox Flaws Under Active Exploitation as Attackers Chain Auth Bypass and Command Injection

If you bought FortiSandbox to catch the malware your other defenses miss, the irony of this week's advisory is going to sting. Three separate critical vulnerabilities in the appliance are under active exploitation in the wild, and at least one of them gives an unauthenticated attacker on the network a clean path from the open internet to command execution on the box that is supposed to be detonating other people's malware safely. Fortinet's PSIRT confirmed the exploitation within roughly twenty four hours of the most recent patch landing, which tells you everything about how closely adversaries are watching these advisories.

The headliner is CVE-2026-39813, a path traversal flaw in the FortiSandbox JRPC API. Fortinet rates it 9.1, and NVD lists it at 9.8 critical, which is the kind of disagreement that does not actually matter because either number translates to drop everything and patch this now. The vulnerability lets an unauthenticated attacker bypass authentication entirely by sending specially crafted HTTP requests that walk out of the intended directory structure. Once that bypass is in place, the attacker has the same posture as any logged-in admin would, which on an inspection appliance is essentially keys to the kingdom. The affected versions are FortiSandbox 5.0.0 through 5.0.5 and FortiSandbox 4.4.0 through 4.4.8. Anyone on 5.2 or the older 4.2 branch is not vulnerable. Fixed builds are 5.0.6 and 4.4.9 respectively, with both available through normal FortiCare update channels.

The second flaw, CVE-2026-39808, is an operating system command injection bug also rated CVSS 9.1. Fortinet quietly patched this one back in April 2026, but it has resurfaced in attacker tradecraft now that proof-of-concept code is circulating. The vulnerability sits in the same HTTP request handling path that the path traversal abuses, so a clean exploit chain typically uses the auth bypass and then pivots to command injection for code execution. The pairing is elegant from the attacker's perspective and brutal from the defender's, because a single crafted request can take a system from internet-facing to fully owned without any credentials at any stage.

Rounding out the trio is CVE-2026-25089, another OS command injection vulnerability rated 9.1 critical. This one affects FortiSandbox, FortiSandbox Cloud, and the FortiSandbox PaaS Web UI, broadening the blast radius beyond just on-premise hardware. Fortinet patched it the week before the active exploitation reports surfaced, and the attacker reaction time on this one was remarkable. Researchers analyzing the in-the-wild payload found something genuinely strange. The exploit code shows clear fingerprints of having been generated by a large language model, complete with the structural tells that AI-assisted code carries. It is also broken. The current public exploit for CVE-2026-25089 does not actually work reliably, which is the kind of detail you read twice. Attackers are now racing patches with AI-generated payloads they apparently did not test thoroughly, and the only thing keeping some organizations from being compromised is that the threat actors leaned a little too hard on their copilot. That window will close. Working exploit code typically follows broken exploit code by days, not weeks.

The exploitation pattern in the wild so far appears opportunistic rather than targeted. Honeypots and incident response engagements are picking up scanning that fingerprints the JRPC API endpoint, followed by attempts to drop persistence mechanisms or pivot deeper into the network. Because FortiSandbox lives in the inspection path for email, web, and file traffic, an attacker who owns the appliance gets a uniquely valuable position. They can see the malware samples your environment is encountering, harvest the indicators your security team is investigating, and quietly tamper with verdicts so their own implants come back clean. Worse, FortiSandbox often integrates with FortiGate firewalls, FortiMail gateways, and FortiClient endpoints through API trust relationships. Compromise the sandbox and you potentially compromise the policy enforcement points that trust it.

Compounding the urgency is the broader Fortinet threat landscape this month. While the FortiSandbox flaws were detonating, separate reporting documented Russian-speaking threat actors compromising more than 30,791 Fortinet firewalls across 194 countries through credential reuse and stuffing campaigns. That campaign is not directly connected to these CVEs, but it tells you that Fortinet infrastructure is currently sitting near the top of multiple actors' target lists. If you are running any internet-exposed Fortinet gear and have not done a credential audit, MFA review, and management plane exposure check in the last quarter, you are operating on borrowed time.

Patching is the obvious first move, and it should not wait for the next maintenance window. FortiSandbox upgrades are straightforward through the FortiCare portal or via direct firmware push for organizations running their own management consoles. Anyone on the 5.0 branch wants 5.0.6 or later. Anyone on 4.4 wants 4.4.9 or later. The cloud and PaaS variants of FortiSandbox were patched by Fortinet directly, so customers of those tiers do not need to take action for the infrastructure side, although they should still confirm with their account teams that the patches have been applied to their tenants.

A note on attribution is worth making here. Fortinet credits Loic Pantano of its own PSIRT for discovering CVE-2026-39813 internally, which is a reminder that vendor-side security research still finds the bugs that matter. The other two CVEs in this cluster appear to have come through similar internal channels rather than external researcher disclosures, which is generally a good sign for the maturity of Fortinet's product security program. The bad sign is the speed at which adversaries are reverse engineering the patches and turning them into working exploits. The interval between a Fortinet PSIRT advisory and observed in-the-wild exploitation has been collapsing across multiple product lines over the last eighteen months, and that compression of the defender response window is now a structural feature of the threat landscape rather than an occasional surprise.

Past the patch, the harder work is figuring out whether you have already been hit. The JRPC API endpoint logs unusual request patterns, and any HTTP request containing path traversal sequences against that interface is suspicious by definition. FortiSandbox keeps audit logs of administrative actions, and reviewing those for unexpected configuration changes, new admin accounts, or scheduled tasks created in the last thirty days is a reasonable starting point. Network telemetry showing outbound connections from the FortiSandbox management IP to anything other than Fortinet update infrastructure should trigger an immediate investigation. If you have a network detection platform with TLS inspection on egress, this is exactly the kind of pivot point those tools were built to catch.

For organizations that cannot patch immediately, the only real mitigation is to remove the JRPC API from network reachability. That means firewalling the management interface to a tightly scoped administrative subnet, killing any port-forwarding or VPN exposure that brings the appliance to the public internet, and confirming that no third party integration is using a publicly accessible JRPC endpoint. None of this is a substitute for the patch. It is a stopgap to buy you the time required to do the upgrade safely.

The MSP business angle here writes itself. Every customer running Fortinet inspection gear just got a tangible reason to consider managed patching, vulnerability monitoring, and incident response retainers. The pitch is straightforward. The three CVEs went from unknown to actively exploited in a window that no part-time IT shop can react to without help, and the threat actors are now using AI to crank out exploit code faster than vendor advisories can be read by humans. That gap between attacker tempo and defender capacity is exactly the market a competent MSP fills, and there has rarely been a cleaner real-world example to lead a sales conversation with. Bundle FortiSandbox patch validation, exposure scanning of customer perimeters for vulnerable versions, and a thirty day compromise assessment as a one-time engagement and you have a low friction entry point that often converts to a longer relationship once the customer sees how much they were not watching on their own.