Active exploitation of two critical vulnerabilities in Fortinet’s FortiSandbox product has been observed by researchers, posing a significant threat to organizations relying on the system for advanced threat detection. Fortinet released patches for these flaws in April, but their active exploitation suggests many systems remain vulnerable.
The vulnerabilities, identified as CVE-2026-39808 and CVE-2026-39813, were first seen being exploited on June 9 and June 15 respectively, according to reports from cybersecurity research firms. FortiSandbox is a key component in many enterprise security infrastructures, designed to analyze potentially malicious files and links to protect networks from emerging threats.
Exploitation of Fortinet Vulnerabilities Underway
Researchers at Defused confirmed observing exploitation of CVE-2026-39808, an OS-command injection vulnerability, shortly after its initial detection by VulnCheck. The firm also confirmed exploitation of CVE-2026-39813, a path-traversal vulnerability, a few days later. These exploits allow attackers to gain unauthorized access and execute commands on affected systems.
Simo Kohonen, founder and CEO of Defused, reported observing 49 exploitation events from 11 distinct IP addresses over a six-day period targeting these two defects. Additionally, attackers are reportedly attempting to exploit a third FortiSandbox vulnerability, CVE-2026-25089, which Fortinet disclosed and patched on June 9.
Attack Vectors and Scope
While researchers have not yet determined the exact number of Fortinet customers impacted, initial post-exploitation activities, including verification and reconnaissance, suggest that a more substantial wave of attacks could follow. Defused traced the observed malicious activity to sources originating from nine different countries.
Kohonen indicated that the broad distribution and sharing of proof-of-concept exploits suggest the involvement of multiple independent actors rather than a single coordinated campaign. The exploitation of these Fortinet vulnerabilities is occurring on commodity infrastructure, making it harder to attribute to specific threat groups.
Researchers have not observed evidence of attackers chaining these specific vulnerabilities together. However, the exploits are effective individually, bypassing authentication, escalating privileges, and enabling the execution of arbitrary commands on compromised FortiSandbox appliances.
Implications for Network Security
The active exploitation of these Fortinet vulnerabilities is concerning because FortiSandbox appliances are typically considered trusted systems within an organization’s security architecture. Compromising such a device could grant attackers elevated access within a security-sensitive environment.
Chris Doyle, head of security and compliance at JupiterOne, explained that sandbox appliances are crucial for analyzing suspicious content and supporting broader detection workflows. A compromise could therefore have significant ramifications for an organization’s overall security posture.
The high value of FortiSandbox also stems from its integration, as Kohonen noted, with other Fortinet devices. This connectivity means that a breach of the sandbox could potentially open doors to other parts of a customer’s Fortinet security ecosystem.
The Cybersecurity and Infrastructure Security Agency (CISA) has a catalog of exploited vulnerabilities, but as of Wednesday, none of the new Fortinet defects had been added. This agency typically adds vulnerabilities after confirming widespread exploitation and sufficient risk to federal agencies.
The situation highlights the ongoing challenge of defending against zero-day and N-day exploits, even when vendors release patches. Organizations must prioritize timely patching and robust security monitoring to mitigate the risks associated with known and actively exploited vulnerabilities.
Moving forward, the focus will be on how many organizations successfully apply the patches issued by Fortinet and whether the observed exploitation activity escalates. The lack of CISA listing does not diminish the immediate threat to affected Fortinet users.