Several vulnerabilities recently patched in Fortinet’s FortiSandbox are being actively targeted by cybercriminals, according to security firm Defused. These vulnerabilities, identified as CVE-2026-39808, CVE-2026-39813, and CVE-2026-25089, have been observed in hacking attempts worldwide.
Critical Vulnerabilities Targeted
Defused has recorded exploitation attempts of these vulnerabilities through their honeypots. Both CVE-2026-39813 and CVE-2026-39808 were classified as ‘critical severity’ and received patches in April. The first allows attackers to bypass authentication, while the latter involves OS command injection, enabling the execution of arbitrary code.
Fortinet addressed CVE-2026-25089 in their June 2026 updates. This flaw allows remote attackers to execute commands without authentication. Notably, the vulnerability CVE-2026-39808 was independently exploited, as reported by KEVIntel on June 12, with subsequent attacks on CVE-2026-39813 detected by both firms on June 15.
Emerging Threats and Exploits
Interestingly, the exploit technique for CVE-2026-25089 appears to have been AI-generated, though initially ineffective, according to Defused. Additionally, vulnerabilities in Fortinet FortiClient EMS, specifically CVE-2026-21643 and CVE-2026-35616, have also been exploited recently.
In a separate incident, SOCRadar uncovered a large-scale compromise of Fortinet firewalls, affecting over 30,000 devices globally. Named ‘FortiBleed,’ this campaign exposes corporate networks to potential risks through systematic attacks on Fortinet firewalls and VPN gateways.
Impact and Ongoing Risks
SOCRadar’s findings reveal that the compromised devices belong to various organizations across more than 190 countries, with significant numbers in both India and the United States. Attackers are reportedly using a curated list of passwords to gain access, monitoring traffic, and collecting additional credentials for further exploitation.
Researchers were able to gather insights into the attacker’s operations due to an exposed server, uncovering credentials linked to a defense industry VPN endpoint. This suggests the attackers’ intentions might extend beyond financial motives.
While attribution remains uncertain, there is speculation about the involvement of Russian-speaking hackers. As these threats evolve, organizations are urged to update security measures and patch vulnerabilities promptly to safeguard their networks.
