[KEV] CVE-2026-39808 -- CVSS 0.0 Vulnerability Briefing
[KEV] CVE-2026-39808 | CVSS 0.0 (Low) | Exploit: Operational
What Is It
CVE-2026-39808 is an OS command injection vulnerability in Fortinet FortiSandbox that allows unauthenticated remote attackers to execute arbitrary commands on affected systems via crafted HTTP requests.
Technical Detail
The flaw exists in FortiSandbox's HTTP request handling, where insufficient input validation allows an attacker to inject and execute operating system commands without any prior authentication. An attacker sends a specially crafted HTTP request to the exposed interface, causing the underlying system to interpret attacker-controlled input as OS-level commands. Successful exploitation results in unauthenticated remote code execution (RCE) with the privileges of the affected service, potentially granting full control of the FortiSandbox appliance.
Exploitation Status
CISA has confirmed active exploitation in the wild, adding this CVE to the Known Exploited Vulnerabilities catalog on July 16, 2026. The exploit is rated as operationally mature, meaning functional exploit code exists and is being actively used in attacks rather than existing only as a proof-of-concept. Organizations should treat this as under active threat and prioritize remediation immediately.
Who Is Targeting This
Reported (research-inferred): No public attribution currently links named threat actors to confirmed exploitation of this specific CVE. The data notes no public records or KEV/CERT/vendor reports attributing exploitation to named groups at this time. While several nation-state actors including Magic Hound (Iran), Sidewinder (China), Threat Group-3390 (China), Daggerfly (China), and CopyKittens (Iran) are associated with the broader threat landscape in the dataset, these are not confirmed as having exploited this specific vulnerability and should not be treated as verified attribution.
What To Do
Per CISA's Known Exploited Vulnerabilities catalog, organizations subject to BOD 22-01 must apply vendor-supplied patches or implement mitigations by the deadline specified in the KEV entry (added July 16, 2026). Apply the latest Fortinet-issued security update for FortiSandbox immediately. If patching cannot be completed without delay, restrict external access to the FortiSandbox management interface and HTTP-exposed services at the network perimeter as an interim control. Review FortiSandbox logs for anomalous HTTP requests, unexpected process spawning, or outbound connections from the appliance that may indicate prior compromise. Given the unauthenticated nature of this vulnerability, internet-exposed FortiSandbox instances should be treated as highest priority for remediation.