The CrowdSec Network has detected early exploitation attempts targeting CVE-2026-39808, a critical OS command injection vulnerability in Fortinet FortiSandbox that lets a remote attacker run unauthorized commands on the appliance — the very box that is supposed to safely detonate malware for everyone else.
Key findings
- Published in April, exploited in June: CVE-2026-39808 was published on April 14, 2026. CrowdSec released a detection rule on June 17, 2026, and observed the first in-the-wild exploitation attempts that same day.
- Critical severity with a public exploit: The flaw carries a CVSS 9.1 rating, and a working proof-of-concept, plus a public Nuclei detection template, is already available, lowering the barrier for opportunistic attackers.
- Early Exploitation phase: The CrowdSec Network is currently tracking 49 unique malicious IP addresses probing this vulnerability, placing it firmly in the “Early Exploitation” phase.
What is FortiSandbox?
FortiSandbox is Fortinet’s advanced threat protection appliance. It receives suspicious files and URLs from across the network — from firewalls, mail gateways, and endpoints — and “detonates” them in an isolated environment to spot zero-day malware before it reaches users. It is typically operated by SOC analysts, security engineers, and IT teams in larger organizations, and it sits in a position of deep trust at the center of the security stack.
Why it matters: A sandbox is built to handle hostile, attacker-supplied content by design, so it is one of the worst possible places to have a command injection bug. Gaining code execution here is like breaking into the bomb-disposal lab — the attacker lands directly on a trusted security appliance with broad visibility and integrations, providing a foothold to pivot deeper, steal data, or disable defenses across the environment.
How does CVE-2026-39808 work?
CVE-2026-39808 is an improper neutralization of special elements used in an OS command (CWE-78), affecting FortiSandbox versions 4.4.0 through 4.4.8 and FortiSandbox PaaS.
The vulnerability lives in the /fortisandbox/job-detail/tracer-behavior endpoint. Attackers inject shell metacharacters into the jid parameter, which is passed to an underlying OS process without being properly sanitized, so their commands execute with system-level privileges. Follow-up requests to /ng/<filename>.txt are used to confirm that a file was created and the injection succeeded. Security researchers have shown the flaw can be chained with other FortiSandbox issues to achieve unauthenticated root-level remote code execution.
- Reference (PoC): samu-delucas/CVE-2026-39808
- Detection template: ProjectDiscovery Nuclei Template
- Official advisory: Fortinet PSIRT FG-IR-26-100
- In-the-wild reporting: Help Net Security
Threat Landscape Analysis
CrowdSec has been tracking this vulnerability since our detection rule was released on June 17, 2026. Analysis of our network traffic places this threat in the Early Exploitation phase, with 49 unique malicious IP addresses flagged probing for vulnerable, internet-exposed appliances since the first observed attack.
While that volume is still relatively contained, the trajectory is concerning. A public proof-of-concept already exists, and third-party threat intelligence has reported the chaining of FortiSandbox flaws to deliver unauthenticated root code execution against financial and critical-infrastructure organizations. The pattern is a familiar one for edge security appliances: a quiet window of targeted, low-volume probing that can flip into wide-scale automated scanning once exploit tooling becomes widely shared. With a high-value target like a sandbox and a working exploit in circulation, immediate remediation is the safe assumption.
How to protect your systems
- Patch: Upgrade FortiSandbox to a fixed release as listed in Fortinet advisory FG-IR-26-100 (versions 4.4.0 through 4.4.8 are affected). Patching is the only complete fix.
- Preemptive blocking: Do not expose the FortiSandbox management interface to the internet. Where exposure is unavoidable, put the CrowdSec WAF in front of the appliance and subscribe to the CrowdSec Intelligence Blocklists to pre-emptively drop traffic from the IPs already attacking our network.
- Stay proactive: For instant monitoring of how this CVE evolves, follow the CrowdSec Live Exploit Tracker for CVE-2026-39808.
Unsure about where to start?: Check out our special 3-minute introduction track at: https://start.crowdsec.net
Sharing insights and taking swift action can collectively reduce the impact of these threats. This is your call to action for real-time threat intelligence and collaborative cybersecurity.