The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday ordered government agencies to prioritize patching two actively exploited vulnerabilities in the Fortinet FortiSandbox threat detection platform.
These two critical-severity security flaws (tracked as CVE-2026-39808 and CVE-2026-25089) were addressed by Fortinet on April 14 and June 9, respectively.
As the company detailed in security advisories issued at the time, successful exploitation allows unauthenticated threat actors to execute unauthorized code remotely through low-complexity command injection attacks that require no user interaction.
To resolve these issues and block incoming attacks, admins must upgrade all affected deployments to the latest released versions.
While Fortinet has yet to tag these two vulnerabilities as used in attacks, and has not yet replied to BleepingComputer’s emails regarding in-the-wild exploitation, threat intelligence company Defused revealed on June 16 that attackers had started abusing them in the wild.
“We are observing exploitation of multiple Fortinet FortiSandbox vulnerabilities during the past 24 hours, including: CVE-2026-39813 (no previous recorded exploitation), CVE-2026-39808, CVE-2026-25089 (vibecoded, likely faulty exploit),” Defused warned.
On Thursday, CISA also confirmed that the flaws are actively exploited in the wild, adding them to its catalog of known exploited vulnerabilities. As mandated by Binding Operational Directive (BOD) 26-04, U.S. federal agencies must patch vulnerable FortiSandbox instances by Sunday, July 19.
In February, Fortinet also patched a critical SQL injection vulnerability (CVE-2026-21643) in the FortiClient Enterprise Management Server (EMS) platform, which Defused flagged as actively exploited one month later.
Two months later, the company addressed another security issue exploited in attacks: a path traversal vulnerability (CVE-2025-61624) that can allow authenticated attackers to escalate privileges.
Fortinet vulnerabilities are often exploited in cyber espionage campaigns and in ransomware attacks (often as zero-days). In total, CISA tracks 28 Fortinet vulnerabilities that have been exploited in attacks in recent years, 13 of which have also been abused in ransomware attacks.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Critical Fortinet FortiSandbox flaws now exploited in attacks
CISA orders feds to patch actively exploited Oracle flaw by Saturday
CISA warns admins to patch actively exploited SharePoint flaws
SonicWall warns of SMA1000 flaws exploited in zero-day attacks, patch now
CISA warns of actively exploited RCE flaws in Joomla extensions
Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-days
Microsoft: Some Dell PCs shut down after recent Windows updates
Zoom warns of critical account takeover vulnerability
AI is a data-breach time bomb: Read the new report
AI broke vulnerability management. Get the guide CISOs use to shift budget to BAS.
How Mature Is Your AI Security Program? Take the Free AI Maturity Assessment.
Pentest your web apps on-demand. Find what humans miss. Scope and launch a pentest in minutes.
See how Pixellot discovered and secured hundreds of unmanaged AI agent identities in weeks, not months. Read the case study.
Terms of Use – Privacy Policy – Ethics Statement – Affiliate Disclosure
Read our posting guidelinese to learn what content is prohibited.



