Fortinet Path Traversal Flaw: Critical Privilege Escalation Risk

The National Vulnerability Database (NVD) has highlighted a critical path traversal vulnerability affecting specific versions of Fortinet’s FortiSandbox. Identified as CVE-2026-39813, this flaw carries a CVSS score of 9.8, placing it firmly in the ‘CRITICAL’ severity bracket. According to NVD, the vulnerability exists in FortiSandbox versions 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8.

Exploitation of this path traversal vulnerability, described as ‘../filedir’, could potentially allow an unauthenticated attacker to escalate privileges on the affected systems. While the exact attack vector is not fully detailed in the initial advisory, path traversal flaws typically involve tricking the application into accessing files or directories outside of its intended scope, which can lead to unauthorized data access or code execution. The CWE-24 designation further clarifies the nature of this weakness.

Given the critical nature and high CVSS score, organizations relying on these FortiSandbox versions should treat this as an urgent patching requirement. Unpatched systems present a significant risk, as a successful exploit could grant attackers elevated control over the security appliance, potentially undermining the very defenses it’s meant to provide.