CISA has added CVE-2026-39808, a critical unauthenticated OS command injection flaw in Fortinet FortiSandbox, to its Known Exploited Vulnerabilities catalog with confirmation of active exploitation.
What Is It
CVE-2026-39808 is an OS command injection vulnerability (CWE-78) in Fortinet FortiSandbox. Per the CISA KEV entry, it "could allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests." The NVD record carries a CVSS 3.1 base score of 9.8 (CRITICAL), vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, low complexity, no privileges or user interaction required, with high impact to confidentiality, integrity, and availability.
Why It Matters
CISA added this CVE to the KEV catalog on 2026-07-16, confirming active exploitation in the wild. The CISA Coordinator SSVC assessment marks exploitation as "active," automatable as "yes," and technical impact as "total." Combined with the 9.8 score and the fact that an unauthenticated attacker can trigger it remotely via crafted HTTP requests, this represents a high-priority remote code execution risk. Known ransomware campaign use is listed as "Unknown."
What's Vulnerable
- FortiSandbox versions 4.4.0 through 4.4.9 inclusive, per NVD configuration (CPE) data. Organizations should treat the entire 4.4.x line up to and including 4.4.9 as affected until they confirm a fixed release with Fortinet.
- FortiSandbox PaaS, affected releases: 21.3.4055, 21.4.4072, 22.1.4113, 22.2.4134, 22.2.4151, 23.1.4245, 23.3.4329, 23.4.4350, and 23.4.4374.
Patch Status
CISA's required action: apply mitigations in accordance with vendor instructions, ensuring compliance with CISA's BOD 26-04 guidance and CISA's "Forensics Triage Requirements." For cloud services, follow applicable BOD 26-04 guidance or discontinue use of the product if mitigations are unavailable. Stakeholders must evaluate each asset's internet exposure. The remediation due date is 2026-07-19. Refer to Fortinet advisory FG-IR-26-100 for vendor instructions.
Sources
- CISA KEV Catalog; CVE-2026-39808: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-39808
- NVD, CVE-2026-39808: https://nvd.nist.gov/vuln/detail/CVE-2026-39808
- Fortinet PSIRT Advisory FG-IR-26-100: https://fortiguard.fortinet.com/psirt/FG-IR-26-100
- CISA BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk