Fortinet FortiSandbox unauthenticated OS command injection (4.4 branch and PaaS)
An unauthenticated OS command injection in Fortinet FortiSandbox 4.4.0–4.4.8 and a range of FortiSandbox PaaS builds lets a network attacker run arbitrary commands via crafted HTTP requests. CVSS 9.8; CISA-listed KEV.
- Vendor
- Fortinet
- Product
- FortiSandbox (4.4 branch and multiple PaaS builds — see body)
- CVSS
- 9.8
- EPSS (exploit probability)
- N/A
- Status
- kev
- Published
CVE-2026-39808 is an unauthenticated OS command injection (CWE-78) in Fortinet’s FortiSandbox appliance. Per NVD, the flaw is an “improper neutralization of special elements used in an os command” bug that “may allow attacker to execute unauthorized code or commands” against affected builds. CVSS 9.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — network-reachable, no authentication, no user interaction.
Affected builds
Per NVD’s affected-product enumeration:
- FortiSandbox 4.4.0 through 4.4.8 (on-prem appliance)
- FortiSandbox PaaS, versions 23.4.4374, 23.4.4350, 23.3.4329, 23.1.4245, 22.2.4151, 22.2.4134, 22.1.4113, 21.4.4072, and 21.3.4055
Only the 4.4 branch is affected on the on-prem side for this CVE — 4.2 and 5.0 fall under the companion advisory CVE-2026-25089, which covers a broader range and a different fixed-build table. Confirm the exact fixed build against FG-IR-26-100 directly.
Status
CISA added CVE-2026-39808 to the Known Exploited Vulnerabilities catalog on 2026-07-16, with a federal remediation deadline of 2026-07-19 under BOD 26-04. Known ransomware-campaign use is currently listed as unknown on the KEV entry.
What to do
Upgrade every affected FortiSandbox 4.4 appliance and PaaS instance to the fixed build per FG-IR-26-100. Until the upgrade lands, restrict the management interface to the specific FortiManager, FortiAnalyzer, and administrative source IPs that actually need it — the vector is HTTP against the appliance itself, so anything reachable from an untrusted segment is one request away from RCE. See the article writeup for the operational sequence and the pairing with CVE-2026-25089.
