FortiSandbox path traversal grants admin (CVE-2026-39813)

Patch now - CVE-2026-39813 is a critical path traversal in FortiSandbox 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5 that lets an unauthenticated remote attacker take full administrative control of the appliance. Upgrade to version 4.4.9 or 5.0.6 to block exploitation.

Overview

A critical path traversal vulnerability, identified as CVE-2026-39813, affects Fortinet FortiSandbox versions 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5. This flaw allows a remote, unauthenticated attacker to perform directory traversal attacks, potentially leading to a full compromise of the appliance with administrative privileges.

Vulnerability Details

The vulnerability exists due to insufficient sanitization of user-supplied input in a specific component of the FortiSandbox web interface. By crafting a malicious HTTP request containing directory traversal sequences (like ../), an attacker can manipulate file paths. Successful exploitation could allow an attacker to read, write, or execute files outside the intended directory, which is the mechanism that leads to privilege escalation.

Impact

With a maximum CVSS score of 9.8, this vulnerability poses a severe risk. An attacker with network access to the FortiSandbox management interface could exploit this flaw without any credentials. The primary consequence is complete system compromise, granting the attacker the same level of access as a system administrator. This could lead to data theft, deployment of persistent malware, or use of the appliance as a foothold for further attacks within the network.

Affected Products

• FortiSandbox version 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8
• FortiSandbox version 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5

Remediation and Mitigation

The vendor has released patches to address this vulnerability. All affected users must apply these updates immediately.

Primary Action: Patch

• Upgrade FortiSandbox 4.4.x installations to version 4.4.9 or later.
• Upgrade FortiSandbox 5.0.x installations to version 5.0.6 or later.

Interim Mitigations: If immediate patching is not possible, restrict network access to the FortiSandbox management interface. Ensure it is not exposed directly to the internet and is accessible only from trusted, internal management networks using strict firewall rules and, if possible, a VPN.

For more detailed instructions, refer to the official Fortinet Security Advisory. Administrators should also review their systems for any signs of anomalous activity.

Security Insight

This vulnerability underscores the persistent risk of path traversal flaws in network security appliances, which are often perceived as hardened targets. Similar to past incidents in other vendors’ gear, it highlights that complex management interfaces can introduce critical attack surfaces. The high CVSS score reflects the dangerous convergence of a common coding error with a network-accessible, pre-authentication attack vector on a device designed to analyze malicious content. For context on evolving attacker tooling, see related news on the CyberStrikeAI tool adopted by hackers for AI-powered attacks.

Further Reading

• CyberStrikeAI tool adopted by hackers for AI-powered
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs