PT-2026-32687 · Fortinet · Fortisandbox
Published
2026-04-14
·
Updated
2026-07-08
·
CVE-2026-39808
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
FortiSandbox versions 4.4.0 through 4.4.8
Description
An OS command injection flaw exists in the JRPC API due to improper neutralization of the pipe symbol (
|) when processing the jid parameter. This allows an unauthenticated remote attacker to execute arbitrary code with root privileges by sending a specially crafted HTTP GET request to the /fortisandbox/job-detail/tracer-behavior endpoint. The issue occurs because the backend script passes the jid variable directly into a system-level shell command without adequate sanitization.Recommendations
Update FortiSandbox to version 4.4.9 or 5.0.0 and later.
Restrict access to ports 443 and 8443 to trusted administrative IP addresses only.
Block all traffic to the
/fortisandbox/job-detail/ path from general internal or external subnets.
As a temporary mitigation, avoid using the jid parameter in the /fortisandbox/job-detail/tracer-behavior endpoint.Exploit
Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fortisandbox