Patches Patch these critical Fortinet sandbox bugs that let attackers bypass login, run commands over HTTP No reports of active exploitation (yet) Jessica Lyons Wed 15 Apr 2026 // 17:52 UTC Watch out for more Fortinet vulns! Two critical bugs in Fortinet's sandbox could allow unauthenticated attackers to bypass authentication or execute unauthorized code on vulnerable systems. Luckily, the security vendor has issued fixes - so patch now - and so far, there are no reports of active exploitation. But considering that the vulnerabilities are now public, both can be exploited without any authentication, and that attackers do love abusing Fortinet products, that is likely to change soon. CVE-2026-39808 is an OS command injection flaw in FortiSandbox that allows unauthenticated attackers to execute unauthorized code or commands via HTTP requests. It received a critical, 9.1 CVSS rating, and it affects versions 4.4.0 through 4.4.8. Upgrading to FortiSandbox 4.4.9 or above patches the hole. The second flaw, CVE-2026-39813 , is a path traversal bug in the FortiSandbox JRPC API that allows an authentication bypass using specially crafted HTTP requests. It also earned a 9.1 CVSS rating and affects FortiSandbox 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5. Patch to 4.4.9+ or 5.0.6+, depending on the branch, to fix the flaw. Fortinet security analyst Loic Pantano found this one. A security researcher named Rishi has published scanners for both ( CVE-2026-39808 and CVE-2026-39813 ), so we'd suggest using these to check and see if you are running any vulnerable instances. Attackers exploited this critical FortiClient EMS bug as a 0-day Credential-stealing crew spoofs VPN clients from Cisco, Fortinet, and others Fortinet unearths another critical bug as SSO accounts borked post-patch Microsoft's massive Patch Tuesday: It's raining bugs These security updates arrive about a week after Fortinet released an emergency patch for CVE-2026-35616 , a critical FortiClient Enterprise Management Server (EMS) bug believed to be under attack since at least March 31. On April 6, the US Cybersecurity and Infrastructure Security Agency (CISA) added the FortiClient EMS bug to its Known Exploited Vulnerabilities (KEV) Catalog , and set a four-day deadline for all federal agencies to apply the patch. ® Share More about Fortinet Patch Security More like these × More about Fortinet Patch Security Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybercrime Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security NCSAM NCSC Palo Alto Networks Password Patch Tuesday Personally Identifiable Information Phishing Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust More about Share POST A COMMENT More about Fortinet Patch Security More like these × More about Fortinet Patch Security Narrower topics 2FA Advanced persistent threat Application Delivery Controller Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybercrime Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Google Project Zero Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security NCSAM NCSC Palo Alto Networks Password Patch Tuesday Personally Identifiable Information Phishing Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust TIP US OFF Send us news