INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Fortinet FortiSandbox Vulnerability Exploited in Attacks

| 2026-06-16 09:19 CRITICAL HIGH
JSON
Executive Summary AI-generated
Fortinet's latest FortiSandbox vulnerabilities have been exploited in the wild, with three critical flaws - CVE-2026-39813, CVE-2026-39808 and CVE-2026-25089 - being actively targeted by attackers. The third flaw,CVE-2026-39813, is a path traversal vulnerability that could allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests. This has raised concerns among cybersecurity experts who speculate about the potential use of artificial intelligence in developing exploits for these vulnerabilities.
Technical Mitigations AI-generated
* Implement a robust patch management strategy, including regular updates and testing of Fortinet gear to ensure timely patches for critical vulnerabilities. * Use secure coding practices and input validation to prevent OS command injection attacks like CVE-2026-25089. * Regularly monitor system logs and network traffic for signs of exploitation or suspicious activity related to FortiSandbox flaws. * Consider implementing a sandboxing solution, such as a virtual machine or containerization platform, to isolate vulnerable systems from potential attackers.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-39813CVE-2026-39813 CVE-2025-61624CVE-2025-61624 CVE-2026-39808CVE-2026-39808 CVE-2026-35616CVE-2026-35616 CVE-2026-21643CVE-2026-21643 CVE-2026-25089CVE-2026-25089 CVE-2026-26083CVE-2026-26083
Target & Sectors
Global Scope
Incident Timeline
‎April 13
Threat actors exploited the CVE-2026-21643 flaw in FortiClient EMS instances.
vulnerability CVE-2026-21643
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies on April 13 to secure their FortiClient EMS instances against attacks targeting the CVE-2026-21643 flaw within three days.
attribution FortiClient EMS
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies on April 13 to secure their FortiClient EMS instances against attacks targeting the CVE-2026-21643 flaw within three days.
‎April 14
Threat actors exploited the Fortinet FortiSandbox vulnerabilities CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 in attacks targeting systems on April 14.
vulnerability CVE-2026-39813
Fortinet released security updates for these three critical-severity security flaws (tracked as CVE-2026-39813 , CVE-2026-39808 , and CVE-2026-25089 ) on April 14.
vulnerability CVE-2026-39808
Fortinet released security updates for these three critical-severity security flaws (tracked as CVE-2026-39813 , CVE-2026-39808 , and CVE-2026-25089 ) on April 14.
vulnerability CVE-2026-25089
Fortinet released security updates for these three critical-severity security flaws (tracked as CVE-2026-39813 , CVE-2026-39808 , and CVE-2026-25089 ) on April 14.
‎April 2026
Threat actors exploited a critical Fortinet FortiSandbox flaw in the wild.
general_metric 9.1 second flaw
In April 2026, Fortinet released out-of-band patches for a critical security flaw impacting FortiClient EMS ( CVE-2026-35616 , CVSS score: 9.1) that it said has been exploited in the wild.
infrastructure 9.1
In April 2026, Fortinet released out-of-band patches for a critical security flaw impacting FortiClient EMS ( CVE-2026-35616 , CVSS score: 9.1) that it said has been exploited in the wild.
vulnerability CVE-2026-35616
In April 2026, Fortinet released out-of-band patches for a critical security flaw impacting FortiClient EMS ( CVE-2026-35616 , CVSS score: 9.1) that it said has been exploited in the wild.
organisation FortiClient EMS
In April 2026, Fortinet released out-of-band patches for a critical security flaw impacting FortiClient EMS ( CVE-2026-35616 , CVSS score: 9.1) that it said has been exploited in the wild.
organisation CVSS
In April 2026, Fortinet released out-of-band patches for a critical security flaw impacting FortiClient EMS ( CVE-2026-35616 , CVSS score: 9.1) that it said has been exploited in the wild.
organisation Fortinet
Both vulnerabilities were patched by Fortinet in April 2026.
‎2026/06/09
Threat actors used a previously patched CVE-2026-25089 vulnerability in FortiSandbox to target the affected software.
organisation Fortinet FortiSandbox Flaws
Attackers Exploit Three Fortinet FortiSandbox Flaws, One Patched Last Week.
vulnerability CVE-2026-25089
CVE-2026-25089 (CVSS score: 9.1), on the other hand, was fixed last week, with Fortinet describing it as an operating system command injection impacting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI that could allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests.
general_metric 9.1 second flaw
CVE-2026-25089 (CVSS score: 9.1), on the other hand, was fixed last week, with Fortinet describing it as an operating system command injection impacting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI that could allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests.
infrastructure 9.1
CVE-2026-25089 (CVSS score: 9.1), on the other hand, was fixed last week, with Fortinet describing it as an operating system command injection impacting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI that could allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests.
organisation FortiSandbox
Fortinet Warned as Three Critical FortiSandbox Bugs Come Under Attack Three FortiSandbox flaws, including one patched last week, are being actively exploited, highlighting the shrinking window for defenders.
‎Jun 16, 2026
Threat actors exploited known vulnerabilities in Fortinet's FortiSandbox software to target victims.
‎2026/06/16
Fortinet's FortiSandbox products have been exploited in attacks due to vulnerabilities including CVE-2026-39813 and CVE-2026-39808, which are OS command injection flaws that allow unauthenticated attackers to execute unauthorized code or commands via crafted HTTP requests.
organisation Fortinet FortiSandbox
"We are observing exploitation of multiple Fortinet FortiSandbox vulnerabilities during the past 24 hours, including: CVE-2026-39813 (no previous recorded exploitation), CVE-2026-39808, CVE-2026-25089 (vibecoded, likely faulty exploit)," Defused warned on Monday.
Cybersecurity firm Defused Cyber confirmed it’s seen active exploitation of three vulnerabilities in Fortinet FortiSandbox within a 24-hour window.
organisation CVE-2026
In a post shared on X, the company said it has observed exploitation of CVE-2026-39813, CVE-2026-39808 , and CVE-2026-25089 over the past 24 hours.
organisation CVE-2026-39813
CVE-2026-39813 (CVSS score: 9.1) refers to a path traversal vulnerability in FortiSandbox JRPC API that could allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests.
CVE-2026-39813 (CVSS score: 9.1) is a path traversal vulnerability in FortiSandbox JRPC API that could allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests.
organisation FortiSandbox
CVE-2026-39813 (CVSS score: 9.1) refers to a path traversal vulnerability in FortiSandbox JRPC API that could allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests.
Most recently, Fortinet released security updates to address another critical vulnerability in FortiSandbox (CVE-2026-26083) that could let attackers achieve remote code execution on unpatched systems.
Fortinet patched a new critical FortiSandbox flaw.
organisation Cybersecurity
Cybersecurity firm Defused Cyber confirmed it’s seen active exploitation of three vulnerabilities in Fortinet FortiSandbox within a 24-hour window.
organisation Fortinet
" In April, Fortinet also flagged a medium-severity path traversal vulnerability ( CVE-2025-61624 ) as exploited in the wild, a flaw that can let authenticated attackers escalate privileges.
organisation SQL
In February, it also patched a critical SQL injection vulnerability ( CVE-2026-21643 ) in the FortiClient Enterprise Management Server (EMS) platform, which Defused flagged as actively exploited one month later.
organisation the FortiClient Enterprise Management
In February, it also patched a critical SQL injection vulnerability ( CVE-2026-21643 ) in the FortiClient Enterprise Management Server (EMS) platform, which Defused flagged as actively exploited one month later.
organisation EMS
In February, it also patched a critical SQL injection vulnerability ( CVE-2026-21643 ) in the FortiClient Enterprise Management Server (EMS) platform, which Defused flagged as actively exploited one month later.
organisation Defused
In February, it also patched a critical SQL injection vulnerability ( CVE-2026-21643 ) in the FortiClient Enterprise Management Server (EMS) platform, which Defused flagged as actively exploited one month later.
organisation BleepingComputer
BleepingComputer reached out to Fortinet to confirm reports of active exploitation, but a response was not immediately available.
organisation EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
organisation FortiClient EMS
In April, the company pushed out-of-band patches for a critical flaw in FortiClient EMS, tracked as CVE-2026-35616 , (CVSS score of 9.1) which was already being exploited before the fix arrived.
organisation SecurityAffairs
Follow me on Twitter:  @securityaffairs  and  Facebook  and  Mastodon Pierluigi Paganini ( SecurityAffairs  – hacking, Fortinet)
infrastructure 5.0.0
The vulnerability impacts the following products and versions: FortiSandbox 5.0.0 through 5.0.5 (Upgrade to 5.0.6 or above)
infrastructure 5.0.5
The vulnerability impacts the following products and versions: FortiSandbox 5.0.0 through 5.0.5 (Upgrade to 5.0.6 or above)
infrastructure 5.0.6
The vulnerability impacts the following products and versions: FortiSandbox 5.0.0 through 5.0.5 (Upgrade to 5.0.6 or above)
organisation FortiProxy
Fortinet released security updates to address several vulnerabilities affecting FortiSandbox, FortiOS, FortiProxy, and FortiPortal.
organisation FortiPortal
Fortinet released security updates to address several vulnerabilities affecting FortiSandbox, FortiOS, FortiProxy, and FortiPortal.
organisation FortiOS
The company also patched two medium-severity vulnerabilities affecting FortiOS, FortiProxy, and the FortiPortal API.
Tactical Metrics
Metrics
infrastructure
‎9.1
Software Version
CVE-2026-25089 (CVSS score: 9.1), on the other hand, was fixed last week, with Fortinet describing it as an operating system command injection impacting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI that could allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests.
In April 2026, Fortinet released out-of-band patches for a critical security flaw impacting FortiClient EMS ( CVE-2026-35616 , CVSS score: 9.1) that it said has been exploited in the wild.
Metrics
infrastructure
‎5.0.0
Software Version
The vulnerability impacts the following products and versions: FortiSandbox 5.0.0 through 5.0.5 (Upgrade to 5.0.6 or above)
Metrics
infrastructure
‎5.0.5
Software Version
The vulnerability impacts the following products and versions: FortiSandbox 5.0.0 through 5.0.5 (Upgrade to 5.0.6 or above)
Metrics
infrastructure
‎5.0.6
Software Version
The vulnerability impacts the following products and versions: FortiSandbox 5.0.0 through 5.0.5 (Upgrade to 5.0.6 or above)
Intelligence Sources
Security Affairs 2026-06-11
BleepingComputer 2026-06-16
Security Affairs 2026-06-16
The Hacker News 2026-06-16