Critical Fortinet FortiSandbox flaws now exploited in attacks

Summary

Threat actors are actively exploiting critical vulnerabilities in Fortinet's FortiSandbox platform, allowing for privilege escalation and remote code execution. Fortinet released patches in April for CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089, which are being exploited via low-complexity command injection attacks. The company also noted a medium-severity path traversal vulnerability, CVE-2025-61624, is being chained with other issues.

Full text

Critical Fortinet FortiSandbox flaws now exploited in attacks By Sergiu Gatlan June 16, 2026 05:19 AM 0 Attackers are now exploiting several critical vulnerabilities in Fortinet's FortiSandbox cyber threat detection platform, according to threat intelligence company Defused. Fortinet released security updates for these three critical-severity security flaws (tracked as CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089) on April 14. These flaws allow unauthenticated threat actors to escalate privileges and execute unauthorized code remotely through low-complexity command injection attacks that require no user interaction. To resolve these issues and block incoming attacks, admins must upgrade affected deployments to the latest released versions. 'We are observing exploitation of multiple Fortinet FortiSandbox vulnerabilities during the past 24 hours, including: CVE-2026-39813 (no previous recorded exploitation), CVE-2026-39808, CVE-2026-25089 (vibecoded, likely faulty exploit)," Defused warned on Monday. "Per our research a working exploit for CVE-2026-25089 has not yet been publicly disclosed." In April, Fortinet also flagged a medium-severity path traversal vulnerability (CVE-2025-61624) as exploited in the wild, a flaw that can let authenticated attackers escalate privileges. However, successful exploitation requires high privileges on the targeted systems, implying that it was very likely chained with another security issue. BleepingComputer reached out to Fortinet to confirm reports of active exploitation, but a response was not immediately available. Fortinet security flaws are often exploited in ransomware attacks (often as zero-day bugs) and in cyber espionage campaigns to breach the targets' networks. Most recently, Fortinet released security updates to address another critical vulnerability in FortiSandbox (CVE-2026-26083) that could let attackers achieve remote code execution on unpatched systems. In February, it also patched a critical SQL injection vulnerability (CVE-2026-21643) in the FortiClient Enterprise Management Server (EMS) platform, which Defused flagged as actively exploited one month later. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies on April 13 to secure their FortiClient EMS instances against attacks targeting the CVE-2026-21643 flaw within three days. In total, CISA tracks 26 Fortinet vulnerabilities that have been exploited in attacks in recent years, 13 of which were abused by ransomware gangs. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticatorIvanti fixes EPMM zero-days chained in code execution attacksHackers exploit RCE flaws in Qinglong task scheduler for cryptominingMax severity Ivanti Sentry vulnerability now exploited in attacksCISA gives feds three days to patch Ivanti flaw exploited as zero-day

Indicators of Compromise

• cve — CVE-2026-39813
• cve — CVE-2026-39808
• cve — CVE-2026-25089
• cve — CVE-2025-61624
• cve — CVE-2026-26083
• cve — CVE-2026-21643

Entities