Recent cyber threats have put Fortinet’s FortiSandbox platform in the spotlight, as multiple critical vulnerabilities are currently being exploited by threat actors. Over the past 24 hours, live attack telemetry has confirmed these attempts, raising significant security concerns.
Identification of Critical CVEs
Security firm Defused has identified three critical Common Vulnerabilities and Exposures (CVEs) that are being actively targeted. Notably, CVE-2026-39813, which had no prior exploitation history, is now under attack. Honeypot sensors have intercepted attempts to exploit these vulnerabilities through port 443, specifically targeting the /jsonrpc/ API endpoint.
Among these, CVE-2026-39813 is a path traversal flaw in the FortiSandbox JRPC API, allowing unauthenticated attackers to bypass security measures via crafted HTTP requests. This vulnerability enables access to sensitive data without credentials, marking a significant first in observed attacks.
Details of Vulnerable Endpoints
CVE-2026-39808 is another critical flaw, categorized as an OS command injection vulnerability. It enables attackers to execute arbitrary commands as root through an API endpoint. Although a proof-of-concept exploit has been public since April 2026, recent attacks have utilized this method, indicating its effectiveness.
The third vulnerability, CVE-2026-25089, shares similar characteristics with an OS command injection flaw affecting multiple FortiSandbox versions and cloud deployments. Despite no public exploit being available, opportunistic attacks suggest attempts to exploit weaknesses through AI-assisted or heuristic methods.
Implications for Network Security
The affected FortiSandbox versions can be exploited without any authentication, posing a significant risk to exposed management interfaces. A compromised system could potentially validate malicious files as safe or allow attackers to move laterally within networks, threatening broader enterprise security.
Analysis of attack patterns shows the exploit source, identified as IP address 141.11.43.175, linked to AS136510 Streamline Servers Pty Ltd in Singapore. This entity carries a high threat score, emphasizing the importance of monitoring for indicators of compromise, such as specific user-agents and targeted endpoints.
The cybersecurity community is urged to stay updated on further developments and apply necessary patches to mitigate these threats. Continuous vigilance and proactive defense strategies remain crucial in countering such sophisticated cyber threats.
