Fortinet suffers three critical vulnerabilities actively exploited

What happened?

Threat intelligence firm Defused has reported active exploitation of three critical vulnerabilities in FortiSandbox, Fortinet's sandboxing product. The flaws, identified as CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089, each carry a CVSS score of 9.1 (critical). According to Defused, attacks began during the weekend of June 14, 2026. The Register confirmed that Fortinet patched two of the three vulnerabilities in April 2026 and the third last week, but at the time stated there were no reports of active exploitation. Defused noted in a LinkedIn post that exploitation began hours after the patch for the third flaw, suggesting attackers may have been testing exploits before official release.

Technical details

CVE-2026-39813: This is a path traversal vulnerability in the JRPC API of FortiSandbox that allows authentication bypass via specially crafted HTTP requests. It affects FortiSandbox versions 4.4.0 to 4.4.8 and 5.0.0 to 5.0.5. It was discovered by Fortinet security analyst Loic Pantano. The fix requires upgrading to FortiSandbox 4.4.9+ or 5.0.6+.

CVE-2026-39808: An operating system command injection flaw in FortiSandbox that allows unauthenticated attackers to execute unauthorized code or commands via HTTP requests. It affects versions 4.4.0 to 4.4.8. It was reported by Samuel de Lucas Maroto, a researcher at KPMG Spain. The patch is available in FortiSandbox 4.4.9+.

CVE-2026-25089: Another operating system command injection vulnerability, this time in the web interface of FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. It allows unauthenticated attackers to execute arbitrary commands via manipulated HTTP requests. It affects FortiSandbox 4.4.0-4.4.8 and 5.0.0-5.0.5, FortiSandbox Cloud 5.0.4-5.0.5, and FortiSandbox PaaS 5.0.4-5.0.5. Defused noted that the public exploit for CVE-2026-25089 appears to be "vibe coded" (possibly AI-generated) and may be flawed, though active exploitation has already been observed.

Patch status

Fortinet released patches for CVE-2026-39813 and CVE-2026-39808 in April 2026, and for CVE-2026-25089 last week. However, at the time of patching, the company stated there were no reports of active exploitation. Defused notes that exploitation began days after the patch for the third vulnerability. Fortinet did not respond to The Register's inquiries about whether it had observed attacks against these CVEs. The lack of timely communication leaves administrators without official confirmation of the threat's magnitude.

Importance and context

Fortinet is a leading network security provider, and its products are frequent targets for cybercriminals. Recently, Check Point warned that ransomware was exploiting a critical authentication bypass vulnerability in Fortinet VPN. The combination of multiple critical flaws in a sandboxing product, which by definition should isolate threats, is particularly serious. Attackers could gain full access to systems running FortiSandbox, compromising the security of the entire infrastructure. Historically, Fortinet has been targeted by advanced attacks: in 2024, vulnerabilities in FortiOS SSL-VPN were exploited, and in 2025, a similar flaw in FortiGate allowed unauthorized access. This pattern underscores the need for rigorous patch management and continuous monitoring.

Consequences

Organizations that fail to apply patches risk intrusions, data theft, or ransomware deployment. Given that exploitation is already active, prioritizing updates to fixed versions is recommended: FortiSandbox 4.4.9+ or 5.0.6+, and for cloud versions, respective updates. The potential impact is high: FortiSandbox is used in enterprise and government environments to analyze threats, so a compromise could expose sensitive information from multiple clients. Additionally, the nature of the vulnerabilities (command injection and authentication bypass) allows attackers to execute arbitrary code without credentials, facilitating lateral movement within the network.

Recommendations

• Update FortiSandbox to the latest version according to the product branch.
• Review logs for suspicious activity related to the vulnerabilities, especially unusual HTTP connections or command execution.
• Implement network segmentation and additional monitoring to detect potential compromises, including intrusion detection systems (IDS) and traffic analysis.
• Consider temporarily disabling the web interface if not needed, until patches are applied.

“We are observing exploitation of multiple Fortinet FortiSandbox vulnerabilities over the last 24 hours,” Defused stated on LinkedIn. “According to our research, a functional exploit for CVE-2026-25089 has not yet been publicly disclosed,” the firm added, noting that the existing exploit appears to be of low quality.

The situation echoes previous incidents such as the exploitation of CVE-2023-27997 in FortiGate, which was also patched but later exploited. The lesson is clear: patches must be applied immediately, especially when it comes to critical security products.