In a nutshell: Three vulnerabilities in Fortinet FortiSandbox (CVE-2026-39813, CVE-2026-39808, CVE-2026-25089) are being actively exploited; two were patched since April 2026, the newest only a week old.
Threat analysis team Defused Cyber documents active attacks on Fortinet FortiSandbox using three critical vulnerabilities (CVSS 9.1). Two were already patched in April 2026, a third only in the past week – yet attackers are still using them.
Defused Cyber reports the active exploitation of three critical vulnerabilities in Fortinet FortiSandbox, each with a CVSS score of 9.1. The vulnerabilities are designated CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089.
CVE-2026-39813 is an authentication flaw in the JRPC API path that allows unauthenticated attackers to bypass authentication via manipulated HTTP requests. CVE-2026-39808 is an OS command injection that permits malicious code execution without prior login. Both vulnerabilities were already closed in April 2026 through updates. CVE-2026-25089 is also an OS command injection via the web UI; this update was only released in the past week. FortiSandbox (on-premises), FortiSandbox Cloud, and FortiSandbox PaaS are affected.
According to Defused Cyber, the exploit for CVE-2026-25089 in circulation exhibits characteristics of AI-generated code but is flawed and non-functional. No working exploit method has been publicly released so far. The insufficient patching despite available updates suggests slow deployment velocity in production environments. Fortinet infrastructure is continuously targeted; in addition to the current cases, Fortinet released an emergency update in April 2026 for a critical vulnerability in FortiClient EMS that was also being actively exploited.
Source: www.it-daily.net · Published June 17, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.