Fortinet patches critical FortiSandbox flaws in broad April security update

Fortinet has released a new batch of security advisories covering 11 vulnerabilities across FortiSandbox, FortiAnalyzer, FortiManager, FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager. The most urgent issues are two critical FortiSandbox flaws that Fortinet says could let unauthenticated attackers bypass authentication or execute unauthorized code through crafted HTTP requests.

The first critical bug, tracked as CVE-2026-39808, is an OS command injection issue in the FortiSandbox API. Fortinet assigned it a CVSS v3 score of 9.1 and says affected FortiSandbox 4.4 systems should move to version 4.4.9 or later.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The second critical bug, CVE-2026-39813, affects the FortiSandbox JRPC API and can allow authentication bypass and privilege escalation without credentials. Fortinet also scored this flaw at 9.1 and lists fixed versions including FortiSandbox 5.0.6 and 4.4.9 or newer.

Other products also received important fixes

Beyond FortiSandbox, Fortinet also patched a high-severity heap-based buffer overflow in the oftpd daemon used by FortiAnalyzer Cloud and FortiManager Cloud. That bug, CVE-2026-22828, is unauthenticated, carries a CVSS v3 score of 7.3, and affects 7.6.2 through 7.6.4 in the cloud branches.

Fortinet also fixed a medium-severity CAPWAP daemon issue, CVE-2025-53847, in FortiOS and FortiSwitchManager. The company classifies it as a missing authentication flaw for a critical function, and says it can let an unauthenticated attacker execute unauthorized code or commands in affected deployments.

Several of the remaining bugs involve path traversal, XSS, and SQL injection. One detail stands out: Fortinet marks CVE-2025-61624, a CLI path traversal issue affecting FortiOS, FortiPAM, FortiProxy, and FortiSwitchManager, as known exploited, while the two critical FortiSandbox bugs currently show no known exploitation in Fortinet’s advisories.

What matters most for defenders

For most security teams, the priority is clear. Patch FortiSandbox first, especially internet-exposed or high-value systems, because both critical flaws are unauthenticated and hit core API surfaces. After that, cloud deployments running FortiAnalyzer Cloud and FortiManager Cloud should move quickly on the high-severity oftpd fix.

This update also shows how wide Fortinet’s April 14 release was. The affected products span sandboxing, analytics, management, firewall, proxy, privileged access, and switch management platforms, which means large enterprises may need a coordinated review rather than a one-product patch cycle.

Fortinet says customers should upgrade to the fixed releases listed in each PSIRT advisory. In practice, admins should verify exposed FortiSandbox versions first, check cloud management tenants next, and then review internal access paths for the medium-severity issues that still open the door to privilege escalation, code execution, or credential exposure.

Vulnerabilities at a glance

Data compiled from Fortinet PSIRT advisories published April 14, 2026.

What admins should do now

• Patch FortiSandbox systems first, especially versions in the affected 4.4.x and 5.0.x ranges.
• Review FortiAnalyzer Cloud and FortiManager Cloud tenants for the oftpd daemon fix.
• Treat CVE-2025-61624 with extra urgency because Fortinet flags it as known exploited.
• Check internal admin and CLI exposure across FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager.
• Map every affected product against the fixed-version guidance in the matching PSIRT bulletin before scheduling maintenance.

FAQ