Fortinet sandbox flaws under active attack after patches

Fortinet’s security sandbox appliances are facing active exploitation of three critical vulnerabilities, just days after the vendor issued patches. The flaws, all rated 9.1 on the CVSS scale, allow unauthenticated attackers to bypass authentication, escalate privileges, and execute arbitrary code remotely. While Fortinet released fixes for two of the vulnerabilities in April and the third last week, threat intelligence firm Defused confirmed exploitation began over the weekend, raising concerns about the speed of attacker adoption.

What was patched

The three vulnerabilities affect different components of Fortinet’s sandboxing solutions. CVE-2026-39813, a path traversal bug in the FortiSandbox JRPC API, enables authentication bypass via crafted HTTP requests. It impacts FortiSandbox versions 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5, with fixes available in versions 4.4.9 and 5.0.6. Fortinet credited security analyst Loic Pantano for discovering this flaw.

CVE-2026-39808 and CVE-2026-25089 are both OS command injection vulnerabilities. The former affects FortiSandbox versions 4.4.0 through 4.4.8 and was patched in version 4.4.9. KPMG Spain researcher Samuel de Lucas Maroto reported this bug. The latter, CVE-2026-25089, extends to FortiSandbox Cloud and FortiSandbox PaaS WEB UI, affecting versions 4.4.0 through 4.4.8, 5.0.0 through 5.0.5, and cloud variants 5.0.4 through 5.0.5. Defused noted that no public exploit exists for this flaw, suggesting attackers may be using an unrefined or privately developed exploit.

Why exploitation is accelerating

The rapid exploitation of these vulnerabilities aligns with a broader trend of attackers targeting Fortinet products. Earlier this month, Check Point Research warned that ransomware groups had exploited a critical authentication bypass in Fortinet’s Remote Access VPN and Mobile Access deployments. The same groups were suspected of leveraging other VPN-related vulnerabilities in Fortinet’s portfolio. The pattern suggests that threat actors are prioritizing Fortinet appliances due to their widespread use in enterprise and cloud environments, where they often serve as gatekeepers for network security.

Defused’s observation that the exploit for CVE-2026-25089 appears to be "vibe coded"—potentially unstable or hastily developed—indicates that attackers are moving quickly to capitalize on the window between patch release and widespread adoption. This urgency underscores the importance of timely updates, particularly for security appliances that are directly exposed to the internet.

What administrators should do

Fortinet has not responded to inquiries about whether it has observed attacks targeting these vulnerabilities. However, the active exploitation reported by Defused leaves little room for delay. Administrators should prioritize upgrading affected FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS deployments to the patched versions immediately. For environments where immediate patching is not feasible, temporary mitigations—such as restricting access to the sandbox interfaces or implementing additional network-level controls—should be considered.

The speed of exploitation highlights the need for proactive vulnerability management, particularly for security appliances that are frequent targets of opportunistic attacks. Organizations relying on Fortinet’s sandboxing solutions should treat these vulnerabilities as a critical priority to prevent potential breaches or lateral movement within their networks.