Preface: FortiSandbox sends analyzed threat logs (including malicious file behavior, risk ratings, etc.) to FortiSIEM.

FortiSIEM obtains threat intelligence from FortiSandbox via API, correlates and analyzes it with logs from other devices to enrich alert content and improve detection accuracy.

Background: In the Fortinet ecosystem, the filedir parameter is specifically used in the FortiSIEM Integration API, rather than the standard FortiManager JRPC configuration API. It is used during Lookup Table operations to specify the directory path for CSV file imports.

Key Difference: FortiManager vs. FortiSIEM

• FortiManager/FortiOS: Uses the url and data structure for almost all JRPC tasks. File operations (like backups) are usually handled by exec commands that return the file content directly in the JSON response, without requiring a local filedir on the appliance.
• FortiSIEM: Uses explicit path parameters like fileDir and fileName for bulk data ingestion and system-level integrations.

Vulnerability details: A Path Traversal vulnerability [CWE-24] in FortiSandbox JRPC API may allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests.

Official announcement: Please refer to the links for details:

https://nvd.nist.gov/vuln/detail/CVE-2026-39813

https://fortiguard.fortinet.com/psirt/FG-IR-26-112