CyberSecurityNews

FortiSandbox Vulnerability Exposes VNC Server to Unauthenticated Attackers


Fortinet has disclosed a high-severity vulnerability in FortiSandbox that could let unauthenticated attackers gain access to the VNC server of virtual machines used for malware scanning.

Tracked as CVE-2026-59835, the flaw is classified as an Exposure of Resource to Wrong Sphere issue (CWE-668) and carries a CVSSv3 score of 7.7, indicating high severity.

The bug allows an attacker to send crafted network requests and reach the VNC server tied to scanning VMs without needing any credentials, opening the door to information disclosure. This is a network-based attack requiring low complexity and no user interaction, meaning any exposed FortiSandbox appliance is a potential target.

Since FortiSandbox relies on isolated VMs to safely detonate and analyze suspicious files, unauthorized VNC access could let an attacker peer into or interact with these sandboxed environments, potentially undermining the integrity of malware analysis and exposing sensitive scan data.

Affected Versions and Fixes

FortiSandbox VersionAffected BuildsFix
5.2Not affectedNot applicable
5.05.0.0 through 5.0.2Upgrade to 5.0.3 or above
4.44.4.3 through 4.4.8Upgrade to 4.4.9 or above

FortiSandbox PaaS deployments are not impacted, so customers running that variant do not need to take action. However, two hardware models, FSA-500G and FSA-1500G, are explicitly listed as affected, making this a priority patch for organizations running on-premises appliances of these types.

Fortinet credited the security team from INPS for identifying and responsibly reporting the issue, following the company’s standard coordinated disclosure process. This vulnerability was published under advisory FG-IR-26-145 on July 14, 2026, and there are currently no reports of it being exploited in the wild.

This disclosure adds to a string of recent FortiSandbox security issues Fortinet has addressed this year, including a critical OS command injection flaw (CVE-2026-25089, CVSS 9.1) and a missing authorization bug in the product’s Web UI, both of which similarly allowed unauthenticated remote attackers to compromise the platform.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.



Source link