Fortinet Patches Critical FortiSandbox and FortiManager Command-Execution Flaws
Fortinet issued multiple 2026 security advisories covering a broad set of vulnerabilities across FortiSandbox, FortiManager, FortiAnalyzer, FortiOS, FortiAP, FortiProxy, FortiPAM, FortiSwitchManager, FortiSwitchAXFixed, and related cloud offerings. The most severe flaws affect FortiSandbox, including CVE-2026-39808, an unauthenticated OS command injection bug that could allow arbitrary command execution and full device compromise, CVE-2026-39813, a path traversal issue in the JRPC API that may enable authentication bypass and privilege escalation, and CVE-2026-26083, a missing authorization flaw that can expose restricted functionality and sensitive sandbox analysis data through the GUI without authentication. National cyber authorities in Canada and Belgium separately warned organizations to apply Fortinet’s fixes immediately.
Fortinet also disclosed high-risk issues in management platforms, notably CVE-2025-54820, a stack-based buffer overflow in the FortiManager fgtupdates service that can let remote unauthenticated attackers execute unauthorized commands when the service is enabled, as well as a heap-based buffer overflow affecting FortiAnalyzer Cloud and FortiManager Cloud. Additional weaknesses across the product line include authentication and MFA bypasses, SQL injection, API denial of service, CLI command injection in FortiAP, CAPWAP daemon memory corruption in FortiOS, stored and reflected XSS, improper access control, and credential exposure. Fortinet advised customers to upgrade to fixed releases, disable exposed services such as fgtupdates where possible, restrict CLI, SSH, and API access, and monitor logs for anomalous authentication, privilege escalation, and endpoint activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Defused reports active exploitation of FortiSandbox flaws
On 2026-06-16, BleepingComputer reported Defused had observed active exploitation of multiple critical Fortinet FortiSandbox vulnerabilities, including CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089. The report said exploitation was seen within the previous 24 hours, marking a shift from disclosed vulnerabilities to confirmed in-the-wild attacks.
Belgium CCB warns to patch critical FortiSandbox command injection flaw
On 2026-06-11, Belgium's Centre for Cybersecurity published an advisory warning about Fortinet's critical FortiSandbox command injection vulnerability and urged organizations to patch immediately. The notice concerns the FortiSandbox flaw previously disclosed by Fortinet affecting FortiSandbox products.
VulnCheck first observes exploitation of CVE-2026-39808
Researchers at VulnCheck first observed active exploitation of FortiSandbox vulnerability CVE-2026-39808 on 2026-06-09. The later CyberScoop report said this exploitation began after Fortinet had disclosed and patched the flaw in April.
Fortinet discloses critical FortiSandbox OS command injection flaw
On 2026-06-09, Fortinet published advisory FG-IR-26-141 for CVE-2026-25089, a critical OS command injection vulnerability in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. The flaw allows unauthenticated remote attackers to execute arbitrary operating system commands via the web interface, and Fortinet issued fixed-version and mitigation guidance.
Belgium CCB warns to patch Fortinet vulnerabilities immediately
On 2026-05-14, Belgium's Centre for Cybersecurity issued an advisory warning about multiple critical, high, and medium vulnerabilities in Fortinet FortiSandbox, FortiOS, FortiAP, FortiAnalyzer, and FortiManager. The notice urged immediate patching.
Fortinet publishes May advisories for five vulnerabilities
On 2026-05-12, Fortinet published security advisories for five vulnerabilities affecting FortiSandbox, FortiSandbox Cloud, FortiSandbox PaaS, FortiAP, FortiAnalyzer, FortiManager, and FortiOS. The most severe was CVE-2026-26083, a critical missing authorization flaw in FortiSandbox products that could be exploited remotely without authentication through the GUI to access restricted functionality or sensitive analysis data.
Fortinet publishes April advisories for 11 vulnerabilities
On 2026-04-14, Fortinet released security advisories addressing 11 vulnerabilities across FortiSandbox, FortiAnalyzer Cloud, FortiManager Cloud, FortiOS, FortiProxy, FortiPAM, FortiSwitchManager, and FortiDDoS-F. The most serious issues included critical unauthenticated FortiSandbox flaws enabling command execution, authentication bypass, and privilege escalation, plus a high-severity heap-based buffer overflow in cloud products.
Fortinet discloses FortiManager fgtupdates buffer overflow flaw
On 2026-03-10, Fortinet published advisory FG-IR-26-098 for CVE-2025-54820, a high-severity stack-based buffer overflow in the FortiManager fgtupdates service. The flaw could allow remote unauthenticated attackers to execute unauthorized commands under certain conditions, and Fortinet provided fixed-version guidance and a workaround to disable fgtupdates.
Fortinet issues March advisories for 11 vulnerabilities across enterprise products
On 2026-03-10, Fortinet published security advisories covering eleven vulnerabilities affecting products including FortiManager, FortiAnalyzer, FortiSwitchAXFixed, and FortiSandbox/FortiSandbox Cloud. The issues included buffer overflows, authentication and MFA bypasses, TLS validation weaknesses, OS command injection, privilege escalation, SQL injection, format string exposure, and stored XSS.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
22 references tracked. Mallory keeps watching after this page renders.
FortiSandbox Critical Security Risks Command Execution Bypass
linuxsecurity.com
Open sourceAttackers hit pair of critical Fortinet vulnerabilities the vendor disclosed in April | CyberScoop
cyberscoop.com
Open sourceThree critical FortiSandbox bugs rated 9.8 actively exploited | news | SC Media
scworld.com
Open sourceFortinet Warned as Three Critical FortiSandbox Bugs Come Under Attack
securityaffairs.com
Open sourceFortinet Patches 11 Vulnerabilities Across FortiSandbox, FortiOS, FortiAnalyzer, and FortiManager
cybersecuritynews.com
Open sourceFortinet security advisory (AV26-351) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceFortinet Security Update - Patch for Multiple Vulnerabilities That Enable Malicious Command Execution
cybersecuritynews.com
Open sourceFortinet FortiManager fgtupdates Vulnerability Allows Attackers to Execute Malicious Commands
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Fortinet Patches Critical RCE Flaws in FortiAuthenticator and FortiSandbox
Fortinet released fixes for two **critical** vulnerabilities that could let remote, unauthenticated attackers run unauthorized code or commands on exposed systems. The first, **`CVE-2026-44277`**, is an improper access control flaw in **FortiAuthenticator** with a **CVSS 9.1** rating; it affects versions **8.0.0**, **8.0.2**, **6.6.0-6.6.8**, and **6.5.0-6.5.6**, and was patched in **8.0.3**, **6.6.9**, and **6.5.7**. Fortinet said the issue stems from insufficient authorization checks on API endpoints and could allow unauthorized API access, privilege escalation, and command execution, while **FortiAuthenticator Cloud is not affected**. Fortinet also disclosed **`CVE-2026-26083`**, a **CVSS 9.1** missing-authorization flaw in the **FortiSandbox** Web UI that impacts **FortiSandbox**, **FortiSandbox Cloud**, and **FortiSandbox PaaS**, potentially enabling arbitrary code execution across on-premises and cloud deployments. Canada’s Cyber Centre warned that the advisories span multiple Fortinet products and urged administrators to review Fortinet PSIRT notices and apply updates promptly. Public reporting said Fortinet had not observed either flaw being exploited in the wild at disclosure, but the breadth of affected security infrastructure and Fortinet’s history of high-value exploitation have increased urgency around patching exposed appliances.
May 16, 2026
Fortinet Discloses Critical Command Injection and SQL Injection Flaws
Fortinet disclosed two high-severity vulnerabilities affecting **FortiSandbox** and **FortiDDoS-F**, both of which could allow unauthorized code or command execution. **CVE-2026-39808** is an OS command injection flaw in FortiSandbox versions `4.4.0` through `4.4.8`, mapped to `CWE-78`, with a `CVSS 3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating remote exploitation without authentication and high impact across confidentiality, integrity, and availability. Fortinet also disclosed **CVE-2026-39815**, an SQL injection vulnerability in FortiDDoS-F versions `7.2.1` through `7.2.2`, mapped to `CWE-89`. The flaw requires low privileges but may likewise enable unauthorized code or command execution, and carries a `CVSS 3.1` vector of `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`. The issues are tracked in Fortinet advisories **FG-IR-26-100** and **FG-IR-26-119**, respectively, expanding the vendor's latest set of appliance security fixes.
May 24, 2026
Multiple Critical Vulnerabilities Disclosed in Fortinet FortiSandbox and FortiWeb Products
Fortinet has addressed several critical vulnerabilities affecting its FortiSandbox and FortiWeb products, with public advisories and technical details released on December 16, 2025. The most severe issues impact FortiSandbox, where multiple command injection vulnerabilities (CVE-2025-53949) allow authenticated attackers to execute arbitrary code as root via the `admindel_confirm`, `name`, and `upload_vdi_file` parameters. Additionally, a cross-site scripting vulnerability (CVE-2025-54353) in the `hcproxy` component could enable remote code execution with minimal user interaction. Fortinet has released patches for these flaws, and users are strongly advised to update affected systems immediately. For FortiWeb, a critical authentication bypass vulnerability (CVE-2025-64447) was disclosed, stemming from improper verification of cryptographic signatures in the `ApacheCookie_parse` method, allowing unauthenticated attackers to gain access. These disclosures follow recent reports of active exploitation of a separate FortiWeb vulnerability (CVE-2025-64446), which enables unauthenticated attackers to create rogue administrator accounts and fully compromise exposed devices. Organizations using FortiWeb and FortiSandbox should review the official advisories and apply the recommended mitigations to prevent exploitation.
Mar 21, 2026