Attackers Exploit Critical Fortinet FortiSandbox Vulnerabilities

Threat actors have begun targeting multiple high-severity weaknesses in Fortinet's FortiSandbox threat detection solution, according to intelligence gathered by Defused.

Exploitation of three critical flaws observed in past day. On Monday the firm reported seeing attacks against CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 within the previous 24 hours. CVE-2026-39813 reportedly had no earlier documented use in the wild, while Defused described the CVE-2026-25089 exploit as "vibecoded, likely faulty" and noted that "a working exploit for CVE-2026-25089 has not yet been publicly disclosed."

Fortinet issued patches in mid-April. The vendor published fixes for the trio of critical issues on April 14. The problems let unauthenticated outsiders raise their access rights and run arbitrary commands through straightforward injection techniques that need neither victim interaction nor advanced skills.

Admins urged to upgrade immediately. Organizations should move affected FortiSandbox instances to the newest available releases to close the gaps and stop ongoing assaults. BleepingComputer contacted Fortinet for comment on the exploitation reports but received no immediate reply.

Related Fortinet vulnerabilities also exploited. During the same month Fortinet disclosed that a medium-severity path traversal bug tracked as CVE-2025-61624 was already being abused against live targets. That weakness permits authenticated users to elevate privileges yet demands substantial preexisting rights on the targeted systems, suggesting it is typically paired with a separate flaw. Fortinet separately corrected another critical FortiSandbox vulnerability, CVE-2026-26083, that could enable remote code execution on systems not yet updated.

Pattern of Fortinet flaws in ransomware and espionage. Shortcomings in Fortinet products are frequently leveraged both by ransomware operators, often while still zero-days, and by espionage groups seeking initial network access. In February the company repaired a critical SQL injection flaw, CVE-2026-21643, inside the FortiClient Enterprise Management Server. Defused identified active exploitation of that issue one month afterward. On April 13 the U.S. Cybersecurity and Infrastructure Security Agency directed federal departments to lock down their FortiClient EMS deployments against CVE-2026-21643 attacks inside a three-day window.

CISA tracks dozens of exploited Fortinet issues. Across recent years CISA has cataloged 26 Fortinet vulnerabilities confirmed in real intrusions, 13 of them leveraged by ransomware groups.