Cybersecurity Blog | RedLegg

Security Bulletin: OS Command Injection Vulnerability in Fortinet FortiSandbox

Written by RedLegg's Cyber Threat Intelligence Team | 4/21/26 6:31 PM

About:

CVE-2026-39808 is a critical OS command injection vulnerability in the FortiSandbox API caused by improper neutralization of special elements used in system commands.

An attacker can exploit this flaw by sending specially crafted requests to vulnerable API endpoints. Successful exploitation may allow execution of arbitrary commands on the FortiSandbox appliance, potentially leading to full compromise of the system and analysis infrastructure.

Public proof-of-concept details have been published, increasing the likelihood of exploitation.

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

OS Command Injection Vulnerability in Fortinet FortiSandbox


Identifier: CVE-2026-39808
CVSS Score: 9.1 (Critical, CVSS v3.0 – Fortinet advisory)
PoC or Exploitation:

Public reporting indicates that proof-of-concept exploit details have been published, increasing the likelihood of exploitation.

Update/ Patch:
 
 
Fortinet has released fixes addressing this vulnerability.
 
Affected versions include:
  • FortiSandbox 4.4.0 through 4.4.8
 
Fixed versions include:
  • FortiSandbox 4.4.9 and later
 
Not affected:
  • FortiSandbox 5.0
  • FortiSandbox PaaS 5.0
 
Fortinet advisory and patch guidance:
Description: 
 CVE-2026-39808 is an OS command injection vulnerability in the FortiSandbox API caused by improper neutralization of special elements used in OS commands.  

 An attacker can exploit this vulnerability by sending crafted requests to the affected API endpoint. Successful exploitation may allow execution of arbitrary commands on the FortiSandbox appliance. 
 

Mitigation Recommendation:

Immediately upgrade FortiSandbox to version 4.4.9 or later.
 
Prioritize patching internet-facing and externally accessible FortiSandbox deployments.
 
Restrict access to FortiSandbox API and management interfaces to trusted networks only.
 
Monitor system and application logs for suspicious HTTP requests, command execution activity, or abnormal administrative behavior.
 

 
View full post