FortiSandbox flaws under active attack — patch deadline is tomorrow
CISA has confirmed that two critical vulnerabilities in Fortinet’s FortiSandbox threat detection platform are being actively exploited. Both are OS command injection flaws that let an unauthenticated attacker execute arbitrary commands remotely — no credentials required, no user interaction needed.
What’s Being Exploited
CVE-2026-39808 and CVE-2026-25089 both carry CVSS scores of 9.1. They affect FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. Fortinet patched them in April and June respectively, but threat intelligence firm Defused confirmed exploitation attempts in mid-June, and CISA added both to its Known Exploited Vulnerabilities catalogue this week.
What to Do
- Update FortiSandbox now. Apply the latest firmware that addresses both CVEs. Fortinet’s advisories for FG-IR-26-100 and FG-IR-26-141 list the fixed versions.
- If you can’t patch immediately, restrict management interface access to known admin IPs only. Block HTTP/HTTPS access from any untrusted network segment.
- Check your logs for unexpected command execution or unusual HTTP requests hitting the FortiSandbox management interface.
- If your IT provider manages your Fortinet stack, confirm with them today that FortiSandbox is patched — not just the FortiGate.
CISA now tracks 28 Fortinet vulnerabilities that have been exploited in attacks in recent years, 13 of which were also used in ransomware campaigns. This isn’t a one-off — Fortinet appliances are a consistent target.
Not Sure Whether Your Fortinet Stack Is Fully Patched?
All IT Services manages Fortinet and other security platforms across Sydney, Central West NSW, Brisbane, and Melbourne. If you’re unsure whether your sandbox appliance is current, get in touch.
Related Guide
Cybersecurity for Sydney SMBs
Explore our complete guide to protecting your business from cyber threats.
