Fortinet RCE Vulnerabilities 2026 – Critical vulnerabilities in FortiSandbox
On April 14th and 15th, Fortinet disclosed 27 new vulnerabilities affecting a wide range of its products. The most severe of the new flaws, CVE-2026-39808 (CVSS 9.8) and CVE-2026-39813 (CVSS 9.8) allow unauthenticated remote code execution (RCE) on the FortiSandbox service. FortiSandbox is Fortinet’s remote sandboxing and malware analysis service, distributed as on premises hardware appliances, virtual machines (VMs), and hosted cloud services. Together, these two critical CVEs generated several national CERT advisories globally [1][2][3][4][5][6][7][8][9]. A public proof of concept (PoC) for CVE-2026-39808 is publicly available, increasing the risk.
One medium severity CVE from the group, CVE-2025-61624 (CVSS 6.0), was reported by Fortinet as actively exploited, but has not been tracked in CISA’s Known Exploited Vulnerabilities (KEV) list. No details of the attack campaigns or public PoC are available.
Other Fortinet products affected by the recent disclosure include: FortiOS, FortiWeb, FortiClient EMS, FortiDDoS-F, FortiSOAR, FortiManager, FortiSwitch Manager, FortiProxy, FortiPAM, FortiAnalyzer, FortiNDR, and FortiNAC-F. Earlier in April 2026, two other CVEs, CVE-2026-35616 and CVE-2026-21643, affecting FortiClient EMS were disclosed and quickly tagged as actively exploited.
Greenbone’s OPENVAS ENTERPRISE FEED includes detection coverage for all new Fortinet vulnerabilities described in this report and more. Our ENTERPRISE FEED also provides a dedicated family of tests for Fortinet vulnerabilities, helping defenders to mitigate actively evolving threats.
Start Your Free Trial
With continuously updated vulnerability detection, risk prioritization intelligence, and scalable operations, OPENVAS SCAN helps organizations strengthen their cybersecurity posture by reducing exposure to known threats across IT environments.
Start evaluating Greenbone’s flagship product, OPENVAS SCAN. Our entry level enterprise appliance, OPENVAS BASIC, is available for free and includes a two week trial of the OPENVAS ENTERPRISE FEED.
Risk Assessment of New Fortinet CVEs
On April 14th and 15th, Fortinet disclosed 27 new vulnerabilities, including two critical flaws, affecting FortiSandbox. Across the set of new CVEs, FortiOS, FortiWeb, FortiClient EMS, FortiDDoS-F, FortiSOAR, FortiManager, FortiSwitch Manager, FortiProxy, FortiPAM, FortiAnalyzer, FortiNDR, and FortiNAC-F are affected.
The two critical FortiSandbox flaws, CVE-2026-39808 (CVSS 9.8) and CVE-2026-39813 (CVSS 9.8), can be exploited without authentication for RCE. Together, these two critical CVEs generated several national CERT advisories globally [1][2][3][4][5][6][7][8][9] and a public proof of concept (PoC) for CVE-2026-39808 is publicly available increasing the risk.
Fortinet also reported the active exploitation of CVE-2025-61624 (CVSS 6.0). Since CVE-2025-61624 requires high level local privileges to exploit, its active exploitation indicates that attackers have either gained access to stolen credentials, have exploited other software flaws to gain high level access, or are insiders within the targeted organization.
The most important CVEs from the recently published group are:
- CVE-2026-39808 (CVSS 9.8) affecting FortiSandbox 4.4.x: Improper neutralization of special elements [CWE-78] allows an unauthenticated attacker to execute unauthorized code or commands via specially crafted HTTP requests. Only FortiSandbox 4.4.0 through 4.4.8 are affected and users should upgrade to 4.4.9 or above. A public proof of concept (PoC) exploit is available, increasing the risk. The OPENVAS ENTERPRISE FEED includes a remote banner version check for CVE-2026-39808 [1].
- CVE-2026-39813 (CVSS 9.8) affecting FortiSandbox 5.0.x and 4.x: A path traversal flaw [CWE-24] allows an unauthorized attacker to escalate privileges via specially crafted HTTP requests. FortiSandbox 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8 are affected. The OPENVAS ENTERPRISE FEED includes a remote banner version check for CVE-2026-39813 [1].
- CVE-2025-61624 (CVSS 6.0) affecting FortiOS, FortiPAM, FortiProxy, and FortiSwitch Manager: A path traversal flaw [CWE-22] in the command line interpreter of affected devices allows a privileged attacker to write or delete arbitrary files via specially crafted arguments to existing commands. Since CVE-2025-61624 requires high level local privileges to exploit, its active exploitation indicates that attackers have either gained access to stolen credentials, have exploited other software flaws to gain high level access, or are insiders within the targeted organization. Fortinet’s FortiOS, FortiPAM, FortiProxy, and FortiSwitch Manager are affected. The OPENVAS ENTERPRISE FEED includes a local version check for FortiOS [1] and a remote banner check for FortiProxy [2] vulnerability to CVE-2025-61624.
- CVE-2026-39815 (CVSS 8.8) affecting FortiDDoS-F 7.2.1 through 7.2.2: An SQL injection flaw [CWE-89] allows an authenticated remote attacker to run arbitrary SQL queries on the database via specially crafted HTTP requests. Only FortiDDoS-F 7.2.1 through 7.2.2 are affected. Users should upgrade to 7.2.3 or above. The OPENVAS ENTERPRISE FEED includes a remote banner version check for CVE-2026-39815 [1].
- CVE-2026-40688 (CVSS 7.2) affecting FortiWeb 8.0, 7.6, and 7.4: An out of bounds write vulnerability [CWE-787] vulnerability allows an authenticated remote attacker to execute arbitrary code or command via crafted HTTP requests. Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 are affected. The OPENVAS ENTERPRISE FEED includes a remote banner version check for CVE-2026-40688 [1].
- CVE-2026-39809 (CVSS 6.7) affecting FortiClient EMS 7.4, 7.2, and 7.0: An SQL injection flaw [CWE-89] allows authenticated remote attackers to execute unauthorized code or commands via specially crafted HTTP requests. Fortinet FortiClient EMS 7.4.0 through 7.4.5, FortiClient EMS 7.2.0 through 7.2.12, and all FortiClient EMS 7.0 versions are affected. The OPENVAS ENTERPRISE FEED includes a remote banner version check for CVE-2026-39809 [1].
Fortinet provides a mapping tool for users to determine the recommended upgrade path for their product. A complete list of CVEs for Fortinet products can be found on the vendor’s PSIRT advisories page.
Summary
Fortinet’s April 2026 disclosure introduces broad exposure across multiple product lines, with the most urgent risks centered on two critical FortiSandbox flaws that can enable unauthenticated RCE. Another vulnerability in FortiPAM, FortiProxy and FortiSwitch Manager was reported as actively exploited. Greenbone’s OPENVAS ENTERPRISE FEED covers all newly disclosed Fortinet vulnerabilities mentioned in this report and more, helping defenders identify affected systems and address remediation.
Joseph has had a varied and passionate background in IT and cyber security since the late 1980s. His early technical experience included working on an IBM PS/2, assembling PCs and programming in C++.
He also pursued academic studies in computer and systems engineering, anthropology and an MBA in technology forecasting.
Joseph has worked in data analytics, software development and, in particular, enterprise IT security. He specialises in vulnerability management, encryption and penetration testing.
