Threat actors are actively exploiting multiple security vulnerabilities within Fortinet FortiSandbox appliances, according to a recent advisory from cybersecurity firm Defused Cyber. The firm reported observing exploitation attempts for three specific vulnerabilities, CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089, within a 24-hour period, highlighting an urgent need for organizations using these Fortinet products to review their security posture.
These exploits target critical flaws that could allow unauthenticated attackers to gain unauthorized access and execute commands on compromised systems. The timing of these attacks, following recent patches from Fortinet, suggests that threat actors are rapidly attempting to leverage newly disclosed or unpatched vulnerabilities in widely used cybersecurity infrastructure.
Exploited Fortinet FortiSandbox Vulnerabilities Pose Significant Risk
The vulnerabilities identified by Defused Cyber are severe, with two of them, CVE-2026-39813 and CVE-2026-39808, carrying a high CVSS score of 9.1. CVE-2026-39813 is a path traversal vulnerability affecting the FortiSandbox JRPC API. This flaw could enable an unauthenticated attacker to bypass authentication mechanisms by sending specially crafted HTTP requests to the device.
In parallel, CVE-2026-39808 also presents a critical risk, classified as an operating system command injection. This vulnerability could permit an unauthenticated attacker to execute arbitrary code or commands on the FortiSandbox system through similar crafted HTTP requests. Fortinet had previously released patches for both CVE-2026-39813 and CVE-2026-39808 in April 2026, indicating that these exploits are targeting systems that have not yet been updated.
A Third Vulnerability, CVE-2026-25089, Also Under Attack
Adding to the evolving threat landscape, CVE-2026-25089, another critical security flaw with a CVSS score of 9.1, is also being exploited. Fortinet addressed this vulnerability just last week. Described as an operating system command injection affecting the web user interface (WEB UI) of FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS, it allows unauthenticated attackers to execute unauthorized commands via carefully crafted HTTP requests.
Interestingly, Defused Cyber noted that the exploit observed for CVE-2026-25089 shows indications of being developed using artificial intelligence (AI) tools. However, the firm also reported that the exploit appears to be faulty, and a functionally verified public exploit for this specific vulnerability has not yet been disclosed. This suggests a dynamic and potentially AI-assisted arms race in the cybersecurity threat intelligence space.
Broader Context of Fortinet Vulnerabilities Under Attack
This recent activity underscores a growing trend of attackers specifically targeting Fortinet appliances. In April 2026, Fortinet issued out-of-band patches for a critical security flaw, CVE-2026-35616, impacting FortiClient Enterprise Management Server (EMS) with a CVSS score of 9.1. At the time, the company acknowledged that this vulnerability had already been exploited in the wild, emphasizing the immediate danger posed by unpatched Fortinet products.
The continuous discovery and exploitation of vulnerabilities in widely deployed security solutions like Fortinet products highlight the persistent challenges in maintaining robust cybersecurity defenses. Organizations must remain vigilant in applying security patches promptly and conducting regular security audits to mitigate the risk of compromise.
Looking Ahead: Patching Urgency and Continued Monitoring
The immediate next step for organizations utilizing Fortinet FortiSandbox is to prioritize the swift deployment of the patches released by Fortinet for CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089. Given the active exploitation, delaying these updates significantly increases the attack surface. Security teams should also bolster their monitoring capabilities to detect any suspicious activity that might indicate a compromise, even after patching.
The involvement of AI in exploit development, as suggested by Defused Cyber, indicates a potential acceleration in the sophistication and speed of future attacks. Cybersecurity professionals will need to adapt their threat detection and response strategies accordingly. Further advisories from Fortinet and threat intelligence firms will be crucial in understanding the full scope of these ongoing exploitation campaigns and developing effective countermeasures.