A working exploit for a critical FortiSandbox vulnerability hit the public internet this weekend, and if you run Fortinet’s sandboxing appliance anywhere in your network, the clock just started ticking. Security researchers have published a proof-of-concept for CVE-2026-39808 — an unauthenticated OS command injection flaw that lets an attacker run arbitrary commands as root with a single crafted HTTP request, as reported by Cyber Security News on 18 April. No login. No user interaction. Game over for the box.

The bug affects FortiSandbox versions 4.4.0 through 4.4.8 and sits in the /fortisandbox/job-detail/tracer-behavior endpoint. Fortinet released fixed builds on 15 April (see Help Net Security’s writeup), but with a working exploit now on GitHub, mass scanning for exposed management interfaces is inevitable. This matters for Australian businesses because FortiSandbox doesn’t just sit alone — it feeds verdicts to your FortiGate firewalls, FortiMail, and FortiClient endpoints. A compromised sandbox poisons the rest of the stack.

If you or your IT provider runs FortiSandbox, do three things today. First, confirm the build number and upgrade to a release beyond 4.4.8 (Fortinet’s advisory FG-IR-26-100 lists the fixed versions). Second, lock the management interface down to trusted IPs — there is no reason it should be reachable from the open internet. Third, pull access logs for the past fortnight and look for unusual POST requests to the tracer-behavior endpoint.

Not sure whether you have Fortinet gear in the mix, or whether your current patch cadence covers appliance-level firmware? That’s a sensible thing to sanity-check. Our cybersecurity team handles patch management and perimeter hardening for Australian SMBs every day — a quick conversation is free.