Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

[KEV] CVE-2026-39808 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-39808 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-39808 is an OS command injection vulnerability in Fortinet FortiSandbox that allows unauthenticated remote attackers to execute arbitrary commands on affected systems via crafted HTTP requests.

Technical Detail

The flaw exists in FortiSandbox's HTTP request handling, where insufficient input validation allows an attacker to inject and execute operating system commands without any prior authentication. An attacker sends a specially crafted HTTP request to the exposed interface, causing the underlying system to interpret attacker-controlled input as OS-level commands. Successful exploitation results in unauthenticated remote code execution (RCE) with the privileges of the affected service, potentially granting full control of the FortiSandbox appliance.

Exploitation Status

CISA has confirmed active exploitation in the wild, adding this CVE to the Known Exploited Vulnerabilities catalog on July 16, 2026. The exploit is rated as operationally mature, meaning functional exploit code exists and is being actively used in attacks rather than existing only as a proof-of-concept. Organizations should treat this as under active threat and prioritize remediation immediately.

Who Is Targeting This

Reported (research-inferred): No public attribution currently links named threat actors to confirmed exploitation of this specific CVE. The data notes no public records or KEV/CERT/vendor reports attributing exploitation to named groups at this time. While several nation-state actors including Magic Hound (Iran), Sidewinder (China), Threat Group-3390 (China), Daggerfly (China), and CopyKittens (Iran) are associated with the broader threat landscape in the dataset, these are not confirmed as having exploited this specific vulnerability and should not be treated as verified attribution.

What To Do

Per CISA's Known Exploited Vulnerabilities catalog, organizations subject to BOD 22-01 must apply vendor-supplied patches or implement mitigations by the deadline specified in the KEV entry (added July 16, 2026). Apply the latest Fortinet-issued security update for FortiSandbox immediately. If patching cannot be completed without delay, restrict external access to the FortiSandbox management interface and HTTP-exposed services at the network perimeter as an interim control. Review FortiSandbox logs for anomalous HTTP requests, unexpected process spawning, or outbound connections from the appliance that may indicate prior compromise. Given the unauthenticated nature of this vulnerability, internet-exposed FortiSandbox instances should be treated as highest priority for remediation.

All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →