Critical Fortinet FortiSandbox Bugs Are Being Targeted After Recent Patches
5 min. read 
Published on
Attackers are targeting three recently patched Fortinet FortiSandbox vulnerabilities, including two critical flaws disclosed in April and a third critical command injection bug disclosed in June.
Threat intelligence company Defused observed exploitation attempts against CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089, according to a Help Net Security report. SecurityWeek also reported that Defused honeypots saw attempts to exploit all three FortiSandbox vulnerabilities in the wild.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The issue matters because FortiSandbox is not just another management appliance. It analyzes suspicious files and can feed verdicts to other Fortinet products. If attackers compromise it, they could gain a valuable foothold inside a network or interfere with malware analysis workflows.
What Fortinet Patched
CVE-2026-39813 is a path traversal vulnerability in the FortiSandbox JRPC API. Fortinet says the flaw can let an unauthenticated attacker bypass authentication through specially crafted HTTP requests, according to the CVE-2026-39813 advisory.
CVE-2026-39808 is an OS command injection vulnerability in a FortiSandbox API endpoint. The CVE-2026-39808 advisory says an unauthenticated attacker could execute unauthorized code or commands by sending crafted HTTP requests.
CVE-2026-25089 is another OS command injection flaw, this time affecting the FortiSandbox web interface, FortiSandbox Cloud, and FortiSandbox PaaS. Fortinet published the CVE-2026-25089 advisory on June 9, 2026.
| CVE | Bug type | Impact | Fixed versions |
|---|---|---|---|
| CVE-2026-39813 | Path traversal in JRPC API | Authentication bypass and privilege escalation | Fortinet lists FortiSandbox 4.4.9 and 5.0.6 or later |
| CVE-2026-39808 | OS command injection in API endpoint | Unauthenticated code or command execution | Fortinet lists FortiSandbox 4.4.9 or later |
| CVE-2026-25089 | OS command injection in web UI | Unauthenticated command execution | Fortinet lists FortiSandbox 4.4.9 and 5.0.6 or later, with Cloud and PaaS fixes in 5.0.6 or later |
Exploitation Reports Come From Honeypot Telemetry
Fortinet’s own advisories still mark the three flaws as not known to be exploited. However, Defused’s sensors reportedly captured attempts against FortiSandbox-like targets, and SecurityWeek reported that the activity involved CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089.
The reported attempts targeted exposed FortiSandbox services over HTTPS. The requests were aimed at the FortiSandbox API surface, which makes internet-exposed management interfaces especially risky for organizations that have not patched yet.
Security teams should treat the activity as a patch-priority signal even without vendor-confirmed exploitation. Attackers often move quickly after critical enterprise security bugs become public, especially when the flaws require no authentication.
Why These Bugs Are High Risk
All three vulnerabilities can be triggered remotely and without valid credentials. That combination raises the risk for any FortiSandbox system reachable from untrusted networks.
The reported activity also includes signs of uneven exploit quality. Defused said one exploit attempt related to CVE-2026-25089 appeared to be faulty or generated with weak logic, according to the Help Net Security coverage. Even so, failed probing can still show that attackers are testing targets and refining payloads.
Admins should not wait for a working public exploit to appear. FortiSandbox sits in a sensitive part of the security stack, and a compromise could affect malware triage, security automation, and internal trust decisions.
What Administrators Should Do Now
- Upgrade affected FortiSandbox appliances to the fixed versions listed by Fortinet.
- Check whether FortiSandbox management or API endpoints are exposed to the internet.
- Restrict access to trusted administrative networks or VPN-only access where possible.
- Review HTTPS logs for unusual POST requests to FortiSandbox API paths.
- Investigate any access from unfamiliar infrastructure, especially if requests targeted FortiSandbox APIs.
- Confirm whether FortiSandbox Cloud and PaaS deployments run fixed versions.
Organizations running FortiSandbox 4.4.x, 5.0.x, or older 4.2.x deployments should review exposure immediately. The June advisory covers FortiSandbox Cloud and PaaS as well, so cloud-hosted deployments should not be ignored.
Fortinet patched these flaws before the latest exploitation reports surfaced, which means remediation is already available. The fastest way to reduce risk is to upgrade, remove unnecessary public exposure, and monitor logs for FortiSandbox-specific probing.
Security teams should also track new public reporting, as SecurityWeek noted that Defused and other exploit intelligence sources have seen recent targeting around Fortinet products.
FAQ
Third-party threat intelligence reporting says attackers are attempting to exploit CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089. Fortinet’s advisories still list the flaws as not known to be exploited, so the current exploitation claim comes from external telemetry rather than vendor confirmation.
The reported activity involves CVE-2026-39813, a path traversal authentication bypass issue, CVE-2026-39808, an OS command injection flaw in an API endpoint, and CVE-2026-25089, an OS command injection flaw in the FortiSandbox web interface.
No. Fortinet describes the three vulnerabilities as unauthenticated attack paths. That means attackers do not need valid FortiSandbox credentials if they can reach the vulnerable service.
Administrators should upgrade affected FortiSandbox 4.4.x and 5.0.x systems to FortiSandbox 4.4.9 or 5.0.6 or later, depending on the branch. CVE data also lists FortiSandbox 4.2.x as affected by CVE-2026-25089, while FortiSandbox Cloud and PaaS 5.0.4 through 5.0.5 should move to 5.0.6 or later.
Security teams should review logs for suspicious HTTPS requests to FortiSandbox API paths, confirm that management interfaces are not exposed to the public internet, and investigate any unusual administrative access or scanning activity around the appliance.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages