VYPR
kevPublished Jun 16, 2026· 1 source

Three Critical Fortinet FortiSandbox Bugs Under Active Exploitation by Unknown Attackers

Three critical Fortinet FortiSandbox vulnerabilities, including authentication bypass and remote code execution flaws, are being actively exploited in the wild, according to threat intelligence firm Defused.

Three critical vulnerabilities in Fortinet's FortiSandbox product are under active exploitation by unknown attackers, according to threat intelligence firm Defused. The flaws, tracked as CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089, each carry a CVSS score of 9.1 and allow attackers to bypass authentication, escalate privileges, and execute arbitrary code remotely. Fortinet patched two of the vulnerabilities in April and the third in June, but exploitation has now been confirmed in the wild.

The most severe of the three, CVE-2026-39813, is a path traversal vulnerability in the FortiSandbox JRPC API that enables authentication bypass via specially crafted HTTP requests. This flaw affects FortiSandbox versions 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5. Fortinet credited internal security analyst Loic Pantano for discovering this bug. The second vulnerability, CVE-2026-39808, is an OS command injection flaw that allows unauthenticated attackers to execute unauthorized code or commands through HTTP requests, affecting versions 4.4.0 through 4.4.8. It was reported by Samuel de Lucas Maroto of KPMG Spain.

The third flaw, CVE-2026-25089, is another OS command injection vulnerability present in the FortiSandbox WEB UI, as well as FortiSandbox Cloud and FortiSandbox PaaS. This bug affects FortiSandbox 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5, along with cloud and PaaS versions 5.0.4 through 5.0.5. According to Defused, exploitation of these vulnerabilities began over the weekend, with the firm noting in a LinkedIn post that they were observing exploitation of multiple FortiSandbox flaws within a 24-hour period. The company also stated that a working exploit for CVE-2026-25089 has not yet been publicly disclosed, and that the exploit for this flaw appeared to be "vibe coded" and may be faulty.

Fortinet has released patches for all three vulnerabilities. Users are urged to upgrade FortiSandbox to version 4.4.9 or later, or 5.0.6 or later, depending on their branch. For FortiSandbox Cloud and PaaS, upgrading to fixed versions is also required. The vendor did not respond to inquiries about whether it had observed any attacks against these CVEs. The active exploitation of these flaws underscores the persistent threat to Fortinet products, which have been frequent targets for ransomware groups and other malicious actors.

Earlier this month, Check Point researchers warned that ransomware criminals had exploited a critical authentication bypass vulnerability in Fortinet's Remote Access VPN and Mobile Access deployments, and that the same crew was likely abusing other VPN-related vulnerabilities in Fortinet products. The latest FortiSandbox exploitation adds to a growing list of Fortinet flaws being actively targeted, making it imperative for organizations to apply patches immediately. Defused's detection of the exploitation activity serves as a critical warning for enterprises relying on FortiSandbox for malware analysis and threat detection.

Synthesized by Vypr AI