Recent reports indicate that cyber attackers are actively exploiting three critical vulnerabilities in Fortinet’s FortiSandbox security appliances. These vulnerabilities, identified as CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089, each carry a CVSS severity score of 9.1, underscoring their potential impact.
CVE-2026-39813 pertains to a path traversal flaw within the FortiSandbox JSON-RPC (JRPC) API. This vulnerability allows unauthenticated attackers to bypass authentication mechanisms by sending specially crafted HTTP requests. Similarly, CVE-2026-39808 involves an operating system command injection vulnerability, enabling unauthenticated attackers to execute arbitrary code or commands through malicious HTTP requests. Both of these vulnerabilities were addressed by Fortinet with patches released in April 2026.
The third vulnerability, CVE-2026-25089, was patched more recently. This flaw also involves operating system command injection, affecting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS web interfaces. It allows unauthenticated attackers to execute unauthorized commands via specifically crafted HTTP requests. Notably, the exploit for CVE-2026-25089 appears to have been developed using artificial intelligence models, though it is reportedly faulty, and no fully functional exploit has been publicly disclosed.
Fortinet’s security appliances have been frequent targets for cyber attackers in recent years. In April 2026, the company released out-of-band patches for another critical vulnerability in FortiClient EMS (CVE-2026-35616), which had been exploited in the wild. This pattern highlights the persistent threats facing network security devices and the importance of timely patching and vigilant monitoring.
The exploitation of these vulnerabilities underscores the critical need for organizations to maintain up-to-date security measures. Regularly applying patches, monitoring for unusual activity, and implementing robust access controls are essential steps in mitigating the risks associated with such vulnerabilities. As attackers continue to target security appliances, proactive defense strategies become increasingly vital to protect sensitive data and maintain network integrity.
