SYS::ONLINE
Wasteland.
Briefs1222
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-39808 2026-07-16

Fortinet FortiSandbox Hit by Critical Unauthenticated Command Injection (CVE-2026-39808)

"CISA has added CVE-2026-39808, a critical unauthenticated OS command injection flaw in Fortinet FortiSandbox, to its Known Exploited Vulnerabilities catalog with confirmation of active exploitation."

CISA has added CVE-2026-39808, a critical unauthenticated OS command injection flaw in Fortinet FortiSandbox, to its Known Exploited Vulnerabilities catalog with confirmation of active exploitation.

What Is It

CVE-2026-39808 is an OS command injection vulnerability (CWE-78) in Fortinet FortiSandbox. Per the CISA KEV entry, it "could allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests." The NVD record carries a CVSS 3.1 base score of 9.8 (CRITICAL), vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, low complexity, no privileges or user interaction required, with high impact to confidentiality, integrity, and availability.

Why It Matters

CISA added this CVE to the KEV catalog on 2026-07-16, confirming active exploitation in the wild. The CISA Coordinator SSVC assessment marks exploitation as "active," automatable as "yes," and technical impact as "total." Combined with the 9.8 score and the fact that an unauthenticated attacker can trigger it remotely via crafted HTTP requests, this represents a high-priority remote code execution risk. Known ransomware campaign use is listed as "Unknown."

What's Vulnerable

Patch Status

CISA's required action: apply mitigations in accordance with vendor instructions, ensuring compliance with CISA's BOD 26-04 guidance and CISA's "Forensics Triage Requirements." For cloud services, follow applicable BOD 26-04 guidance or discontinue use of the product if mitigations are unavailable. Stakeholders must evaluate each asset's internet exposure. The remediation due date is 2026-07-19. Refer to Fortinet advisory FG-IR-26-100 for vendor instructions.

Sources