The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding two critical vulnerabilities in Fortinet’s FortiSandbox technology. These vulnerabilities have been actively exploited in cyberattacks, prompting CISA to add them to its Known Exploited Vulnerabilities (KEV) Catalog.
Details of the Fortinet Vulnerabilities
Identified as CVE-2026-39808 and CVE-2026-25089, these vulnerabilities allow attackers to execute unauthorized operating system commands. This is achieved through specially crafted HTTP requests sent by unauthenticated users. The vulnerabilities fall under the category of OS command injection (CWE-78), where unsanitized user input is incorrectly processed by the system.
The first vulnerability, CVE-2026-39808, is specific to Fortinet FortiSandbox, potentially enabling a remote attacker to run arbitrary commands on affected devices. The second, CVE-2026-25089, impacts a wider range of Fortinet environments, including FortiSandbox Cloud and PaaS, creating more opportunities for exploitation.
Impact and Response
FortiSandbox is a critical tool for organizations, used to analyze suspicious files and malware in secure environments. These vulnerabilities pose a significant risk as they could allow attackers to gain access to sensitive systems and data. Such access might lead to a broader compromise of an organization’s network by leveraging malicious content.
CISA added these vulnerabilities to its KEV Catalog on July 16, 2026. Federal agencies are required to apply vendor-provided patches by July 19, 2026, as per Binding Operational Directive BOD 26-04. This swift action underscores the serious threat these vulnerabilities present, especially given their active exploitation.
Recommendations for Organizations
Organizations using FortiSandbox and its derivatives should prioritize reviewing and implementing Fortinet’s security advisories. Applying all available patches and mitigations is crucial to maintaining network integrity. Security teams should identify all FortiSandbox assets exposed to the internet, restrict access to management interfaces, and monitor HTTP logs for unusual activity.
In cases where patches are unavailable, CISA advises adhering to relevant cloud service guidelines or temporarily discontinuing the use of affected products. This proactive approach can prevent potential breaches until a permanent fix is available.
Furthermore, following CISA’s forensic triage requirements can help assess whether systems were compromised prior to remediation efforts. Such measures are essential in safeguarding against command injection flaws that attackers might exploit to deploy malware or disable security tools.
To reinforce security operations, integrating threat detection and rapid investigation tools can be beneficial. Such integrations can accelerate the identification and response to potential threats, thereby enhancing organizational resilience against cyber threats.
