Attackers Exploit Three Fortinet FortiSandbox Flaws, Including One Patched Last Week

Threat intelligence firm Defused Cyber has reported active in-the-wild exploitation of three critical vulnerabilities in Fortinet FortiSandbox appliances over the past 24 hours. The flaws — tracked as CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 — each carry a maximum CVSS score of 9.1, underscoring the severity of the threat facing organizations that have not yet applied available patches. Defused Cyber shared the findings via a post on X, warning defenders to prioritize remediation across FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS deployments.

CVE-2026-39813 is a path traversal vulnerability in the FortiSandbox JRPC API that allows an unauthenticated attacker to bypass authentication through specially crafted HTTP requests. CVE-2026-39808 is an operating system command injection flaw that similarly enables unauthenticated remote code execution via crafted HTTP requests. Both were patched by Fortinet in April 2026. The third flaw, CVE-2026-25089 — another OS command injection impacting the FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI — was fixed only last week, meaning many organizations may still be running vulnerable builds. Defused Cyber also noted that the publicly observed exploit for CVE-2026-25089 appears to have been generated using an artificial intelligence model and is reportedly non-functional, though a working exploit has not been publicly disclosed.

Fortinet appliances have repeatedly been targeted by sophisticated threat actors in recent years, with attackers chaining authentication bypasses and injection flaws to gain persistent footholds in enterprise networks. In April 2026 alone, Fortinet shipped out-of-band patches for a critical FortiClient EMS flaw (CVE-2026-35616) that was also confirmed as exploited in the wild. Security teams should immediately audit their FortiSandbox deployments, verify firmware versions, and hunt for indicators of compromise. Administrators can use a port scanner to identify exposed FortiSandbox management interfaces and a SSL/TLS checker to validate certificate configurations on appliance endpoints. Given that the actively exploited chain includes an authentication bypass, defenders should also review credential hygiene and run a password checker to ensure no administrative accounts are using weak or previously leaked passwords.