Back to Feed
Zero-dayJul 17, 2026

CISA urges immediate action on actively exploited Fortinet flaws

CISA orders federal agencies to patch two actively exploited Fortinet FortiSandbox vulnerabilities by July 19.

Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered government agencies to immediately patch two critical vulnerabilities (CVE-2026-39808 and CVE-2026-25089) in Fortinet FortiSandbox that are actively exploited in the wild. These flaws allow unauthenticated remote code execution via command injection with no user interaction required. Federal agencies must complete patching by July 19 under the Binding Operational Directive (BOD) 26-04.

Full text

CISA urges immediate action on actively exploited Fortinet flaws By Sergiu Gatlan July 17, 2026 03:03 AM 0 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday ordered government agencies to prioritize patching two actively exploited vulnerabilities in the Fortinet FortiSandbox threat detection platform. These two critical-severity security flaws (tracked as CVE-2026-39808 and CVE-2026-25089) were addressed by Fortinet on April 14 and June 9, respectively. As the company detailed in security advisories issued at the time, successful exploitation allows unauthenticated threat actors to execute unauthorized code remotely through low-complexity command injection attacks that require no user interaction. To resolve these issues and block incoming attacks, admins must upgrade all affected deployments to the latest released versions. While Fortinet has yet to tag these two vulnerabilities as used in attacks, and has not yet replied to BleepingComputer's emails regarding in-the-wild exploitation, threat intelligence company Defused revealed on June 16 that attackers had started abusing them in the wild. "We are observing exploitation of multiple Fortinet FortiSandbox vulnerabilities during the past 24 hours, including: CVE-2026-39813 (no previous recorded exploitation), CVE-2026-39808, CVE-2026-25089 (vibecoded, likely faulty exploit)," Defused warned. On Thursday, CISA also confirmed that the flaws are actively exploited in the wild, adding them to its catalog of known exploited vulnerabilities. As mandated by Binding Operational Directive (BOD) 26-04, U.S. federal agencies must patch vulnerable FortiSandbox instances by Sunday, July 19. In February, Fortinet also patched a critical SQL injection vulnerability (CVE-2026-21643) in the FortiClient Enterprise Management Server (EMS) platform, which Defused flagged ​​​​ as actively exploited one month later. Two months later, the company addressed another security issue exploited in attacks: a path traversal vulnerability (CVE-2025-61624) that can allow authenticated attackers to escalate privileges. Fortinet vulnerabilities are often exploited in cyber espionage campaigns and in ransomware attacks (often as zero-days). In total, CISA tracks 28 Fortinet vulnerabilities that have been exploited in attacks in recent years, 13 of which have also been abused in ransomware attacks. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Critical Fortinet FortiSandbox flaws now exploited in attacksCISA orders feds to patch actively exploited Oracle flaw by SaturdayCISA warns admins to patch actively exploited SharePoint flawsSonicWall warns of SMA1000 flaws exploited in zero-day attacks, patch nowCISA warns of actively exploited RCE flaws in Joomla extensions

Indicators of Compromise

  • cve — CVE-2026-39808
  • cve — CVE-2026-25089
  • cve — CVE-2026-39813
  • cve — CVE-2026-21643
  • cve — CVE-2025-61624

Entities

Fortinet (vendor)FortiSandbox (product)FortiClient EMS (product)CISA (vendor)Defused (vendor)