Recent Exploitation of Fortinet FortiSandbox Vulnerabilities
Threat intelligence firm Defused Cyber has reported that malicious actors are currently exploiting several vulnerabilities in Fortinet FortiSandbox. These include CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089, all of which pose significant security risks.
Details of the Vulnerabilities
CVE-2026-39813 is a critical path traversal flaw in the FortiSandbox JRPC API. Rated with a CVSS score of 9.1, this vulnerability enables attackers to bypass authentication using specially crafted HTTP requests. Similarly, CVE-2026-39808, also with a CVSS score of 9.1, allows unauthorized execution of commands through operating system command injection. Both vulnerabilities received patches from Fortinet in April 2026.
The third vulnerability, CVE-2026-25089, was addressed last week. It also involves operating system command injection, impacting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS Web UI. This vulnerability can lead to unauthorized command execution, and Defused Cyber highlighted that its exploit appears to be AI-generated, albeit with errors. Importantly, a fully functional exploit has not been publicly shared.
Context and Implications
Fortinet devices have increasingly become targets for cyber attackers. Earlier in April 2026, Fortinet had to issue emergency patches for a critical flaw in FortiClient EMS, identified as CVE-2026-35616. This vulnerability, also with a CVSS score of 9.1, had been actively exploited in cyber attacks.
Future Outlook and Recommendations
The continuous targeting of Fortinet products underscores the need for organizations to remain vigilant and promptly apply security patches. Businesses utilizing Fortinet solutions should ensure they are up-to-date with the latest security updates to mitigate potential risks. As cyber threats evolve, staying informed and prepared is crucial to safeguarding sensitive data and infrastructure.
