A critical vulnerability identified as CVE-2026-39808 in Fortinet's FortiSandbox product has a proof-of-concept exploit that has been publicly released. This flaw permits an attacker to execute arbitrary operating system commands with root privileges without any authentication. Originally discovered in November 2025, the vulnerability became public after Fortinet released a patch in April 2026. Security teams are strongly advised to apply this patch immediately, given the availability of the exploit on GitHub.
The vulnerability is an OS command injection issue in FortiSandbox, a popular tool for detecting advanced threats and malware. It affects the endpoint /fortisandbox/job-detail/tracer-behavior and is present in versions 4.4.0 through 4.4.8. Attackers can inject harmful commands via the jid GET parameter using the pipe symbol, allowing them to execute commands with root-level access. This security gap results from inadequate input validation, leading to the direct execution of commands by the operating system.
The ease of exploitation makes this vulnerability particularly concerning. According to researcher samu-delucas, who shared the proof-of-concept, a simple curl command can enable remote code execution as root without needing login credentials. This capability allows attackers to read sensitive files, deploy malware, or completely compromise the system without authentication.
Fortinet has addressed the vulnerability and issued an advisory under FG-IR-26-100, which provides details on the severity and affected versions. Organizations using FortiSandbox 4.4.0 through 4.4.8 should prioritize upgrading to a patched version. With the exploit now in public hands, the risk of exploitation is high, and security teams must act swiftly to protect their systems.


