Tech Translated

IT Security & Technology Blog

Practical IT insights for Australian businesses. Our team covers cybersecurity advisories, compliance updates, and plain-English explainers on the technology your business relies on, published regularly as the landscape shifts.

Security alert graphic for Fortinet FortiSandbox vulnerabilities CVE-2026-39808 and CVE-2026-25089 with PATCH NOW label

FortiSandbox flaws under active attack — patch deadline is tomorrow

CISA has confirmed that two critical vulnerabilities in Fortinet’s FortiSandbox threat detection platform are being actively exploited. Both are OS command injection flaws that let an unauthenticated attacker execute arbitrary commands remotely — no credentials required, no user interaction needed.

CISA has set a patch deadline of 19 July — that’s tomorrow. If you run FortiSandbox, FortiSandbox Cloud, or FortiSandbox PaaS, this needs action today.

What’s Being Exploited

CVE-2026-39808 and CVE-2026-25089 both carry CVSS scores of 9.1. They affect FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. Fortinet patched them in April and June respectively, but threat intelligence firm Defused confirmed exploitation attempts in mid-June, and CISA added both to its Known Exploited Vulnerabilities catalogue this week.

Here’s the pattern we see across Australian SMB environments: FortiSandbox appliances sit behind the FortiGate firewall, so they get treated as internal infrastructure. They’re patched less frequently than the firewall itself because nobody thinks of them as internet-facing. But a command injection flaw over HTTP doesn’t care where in the network the appliance sits — any reachable management interface is an attack surface.

What to Do

  • Update FortiSandbox now. Apply the latest firmware that addresses both CVEs. Fortinet’s advisories for FG-IR-26-100 and FG-IR-26-141 list the fixed versions.
  • If you can’t patch immediately, restrict management interface access to known admin IPs only. Block HTTP/HTTPS access from any untrusted network segment.
  • Check your logs for unexpected command execution or unusual HTTP requests hitting the FortiSandbox management interface.
  • If your IT provider manages your Fortinet stack, confirm with them today that FortiSandbox is patched — not just the FortiGate.

CISA now tracks 28 Fortinet vulnerabilities that have been exploited in attacks in recent years, 13 of which were also used in ransomware campaigns. This isn’t a one-off — Fortinet appliances are a consistent target.

Not Sure Whether Your Fortinet Stack Is Fully Patched?

All IT Services manages Fortinet and other security platforms across Sydney, Central West NSW, Brisbane, and Melbourne. If you’re unsure whether your sandbox appliance is current, get in touch.


Related Guide

Cybersecurity for Sydney SMBs

Explore our complete guide to protecting your business from cyber threats.

Read the Full Guide →