Fortinet Discloses Critical OS Command Injection in FortiSandbox (CVSS 9.1)
Fortinet disclosed a critical OS command injection vulnerability in FortiSandbox, allowing unauthenticated attackers to execute arbitrary code via crafted HTTP requests.
Fortinet has disclosed a critical OS command injection vulnerability in its FortiSandbox security appliance, tracked as FG-IR-26-100 with a CVSSv3 score of 9.1. The flaw, categorized under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), allows an unauthenticated attacker to execute arbitrary code or commands on affected systems by sending specially crafted HTTP requests. No authentication is required, making the vulnerability particularly dangerous for organizations that have not yet applied the available patch.
The vulnerability affects FortiSandbox versions 4.4.0 through 4.4.8. Fortinet has released FortiSandbox 4.4.9 to address the issue, and customers are urged to upgrade immediately. FortiSandbox 5.0 and FortiSandbox PaaS 5.0 are not affected by this vulnerability, so customers running those versions do not need to take any action. The advisory notes that the vulnerability was discovered and reported by Samuel de Lucas Maroto from KPMG Spain under Fortinet's responsible disclosure program.
FortiSandbox is a network security appliance designed to detect and block advanced threats by analyzing suspicious files and URLs in a sandboxed environment. Because it is often deployed at network perimeters and handles untrusted data, a remote code execution vulnerability in the product could allow attackers to bypass security controls and gain a foothold inside an organization's network. The fact that the vulnerability requires no authentication and can be triggered via HTTP requests makes it especially attractive to threat actors seeking initial access.
While Fortinet has not reported any active exploitation of this vulnerability in the wild, the high CVSS score and the ease of exploitation mean that proof-of-concept code could emerge quickly. Security teams should prioritize patching FortiSandbox appliances, especially those exposed to the internet. The vulnerability is not yet listed in CISA's Known Exploited Vulnerabilities catalog, but that could change if exploitation is detected.
This disclosure is the latest in a series of critical vulnerabilities patched by Fortinet in 2026. Earlier this year, the company addressed critical remote code execution flaws in FortiAuthenticator and FortiSandbox, as well as a high-severity OS command injection in FortiAP devices. The pattern underscores the challenge of maintaining security across a broad product portfolio, particularly for appliances that are often deployed in sensitive network positions.
Organizations running FortiSandbox should verify their firmware version and upgrade to 4.4.9 or later as soon as possible. In the interim, network administrators can reduce risk by restricting HTTP access to the FortiSandbox management interface to trusted IP addresses only. Given the critical nature of the vulnerability and the lack of authentication required, delaying the patch could expose organizations to significant risk of compromise.