Overview
- Defused Cyber said Tuesday it observed active exploitation of three FortiSandbox flaws—CVE-2026-39813, CVE-2026-39808 and CVE-2026-25089—within a 24-hour window.
- CVE-2026-39813 is a path traversal in the FortiSandbox JRPC API that can bypass authentication and CVE-2026-39808 is an operating-system command injection that can enable unauthenticated remote code execution.
- Fortinet issued patches earlier in April for the first two flaws and released a fix for CVE-2026-25089 last week, and security outlets reported they had not yet received immediate confirmation from Fortinet about the new exploitation reports.
- Researchers say the observed exploit for CVE-2026-25089 appears to show signs of AI-assisted development and is faulty, but no working public exploit has been verified and attackers continue to probe unpatched systems.
- U.S. agencies and analysts warn Fortinet gear is a frequent target for ransomware and espionage, CISA tracks dozens of Fortinet flaws exploited in recent years, and unpatched FortiSandbox deployments in enterprises or government networks risk rapid takeover or data loss.