Particle.news
Download on the App Store
3 ARTICLES
·
3w ago

Fortinet Releases Fixes for Critical FortiSandbox Flaws That Need No Login

Public scanners for the bugs raise near-term risk, making fast patching the safest move for networks that rely on FortiSandbox verdicts.

Overview

  • Fortinet published 26 advisories on Tuesday covering 27 issues across its products, with two FortiSandbox bugs rated 9.1 out of 10 and exploitable through crafted HTTP requests without authentication.
  • CVE-2026-39813 lets attackers bypass login via a path traversal in the FortiSandbox JRPC API and CVE-2026-39808 allows OS command execution, both fixed in versions 4.4.9 or later and, for the JRPC issue, 5.0.6 or later.
  • Researchers released free scanners for both flaws, which makes it easier to find exposed systems even as Fortinet reports no confirmed attacks so far.
  • Beyond FortiSandbox, patches include CVE-2026-22828 in FortiAnalyzer Cloud that could enable remote code execution without login and two high‑severity SQL injection bugs in FortiDDoS‑F and FortiClientEMS that require authentication.
  • FortiSandbox feeds threat verdicts to other Fortinet tools, so a compromise could let malicious files pass as safe or give attackers a foothold for lateral movement inside a company’s network.