Full Report
Multiple firms have observed active exploitation of the FortiSandbox defects, and warn that the attacks originate from multiple sources, not a single campaign. The post Attackers hit pair of critical Fortinet vulnerabilities the vendor disclosed in April appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Active Exploitation of Multiple FortiSandbox Flaws
## CVE Details
- **CVE ID:** CVE-2026-39808, CVE-2026-39813, and CVE-2026-25089
- **CVSS Score:** Critical (Exact base scores not listed in text, but categorized as "Critical")
- **CWE:**
- **CVE-2026-39808:** OS Command Injection
- **CVE-2026-39813:** Path Traversal
- **CVE-2026-25089:** (Technical type not specified, but patched June 9)
## Affected Systems
- **Products:** Fortinet FortiSandbox
- **Versions:** Vulnerabilities disclosed in April 2026 and June 2026 (refer to vendor advisory for specific version ranges).
- **Configurations:** Systems used to analyze suspicious content across enterprise networks.
## Vulnerability Description
The flaws allow for a range of malicious activities. **CVE-2026-39808** involves an OS-command injection defect, while **CVE-2026-39813** involves path traversal. Together, these defects can be used to bypass authentication, escalate privileges, and allow attackers to execute arbitrary commands on the sandbox appliance. Because sandbox appliances are trusted systems with elevated network access, a compromise provides a significant foothold for lateral movement.
## Exploitation
- **Status:** Exploited in the wild. Multiple firms (VulnCheck, Defused) report active exploitation from multiple independent sources.
- **Complexity:** Not explicitly stated, but "commodity infrastructure" and "shared PoCs" suggest low-to-medium complexity for established actors.
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Access to sensitive network traffic and analysis data).
- **Integrity:** High (Execution of arbitrary commands and privilege escalation).
- **Availability:** High (Potential for system takeover or disruption).
## Remediation
### Patches
Fortinet has released patches for all three vulnerabilities:
- **CVE-2026-39808 & CVE-2026-39813:** Patched in April 2026.
- **CVE-2026-25089:** Patched on June 9, 2026.
### Workarounds
The article does not specify temporary workarounds; immediate patching is the recommended course of action given active exploitation.
## Detection
- **Indicators of Compromise:** Activity from 13 malicious sources across nine countries (including China, Taiwan, and the Netherlands).
- **Detection methods and tools:** Monitoring for unauthorized authentication bypass attempts and unusual OS command execution originating from the FortiSandbox appliance. Researchers have observed 49 exploitation events from 11 distinct IPs in a six-day window.
## References
- Fortinet PSIRT FG-IR-26-100 (CVE-2026-39808): hxxps[://]fortiguard[.]fortinet[.]com/psirt/FG-IR-26-100
- Fortinet PSIRT FG-IR-26-112 (CVE-2026-39813): hxxps[://]fortiguard[.]fortinet[.]com/psirt/FG-IR-26-112
- Fortinet PSIRT FG-IR-26-141 (CVE-2026-25089): hxxps[://]fortiguard[.]fortinet[.]com/psirt/FG-IR-26-141
- CyberScoop Article: hxxps[://]cyberscoop[.]com/fortinet-fortisandbox-vulnerabilities-exploits/