Threat-intelligence firm Defused reports that attackers are now exploiting three critical flaws in Fortinet's FortiSandbox, the appliance other Fortinet products rely on to judge whether files are malicious. Two (CVE-2026-39813, a JRPC API path traversal that bypasses authentication, and CVE-2026-39808, an unauthenticated command-injection that runs code as root) were patched in April; the third (CVE-2026-25089) only last week. All are unauthenticated and rated critical. Compromising a sandbox is especially dangerous because attackers can make it wave real malware through as clean. Notably, the exploit for one flaw appears to have been generated with AI and is likely faulty, yet attackers are trying it anyway.
Fortinet has patched a critical flaw in FortiSandbox, the appliance that detonates suspicious files and feeds malware verdicts to the rest of a Fortinet security deployment. The bug (CVE-2026-25089, rated 9.8) is an OS command injection in the web interface that lets a remote, unauthenticated attacker run arbitrary commands by sending crafted HTTP requests. Compromising a sandbox is especially dangerous because attackers can both pivot deeper into the network and blind the very system meant to catch malware. Fixed versions are FortiSandbox 5.0.6 and 4.4.9, with matching updates for the Cloud and PaaS editions.
Fortinet patched two critical RCE flaws Tuesday. CVE-2026-44277 in FortiAuthenticator (Fortinet's IAM/MFA platform) lets unauthenticated attackers execute code via crafted requests. CVE-2026-26083 (CVSS 9.1) in FortiSandbox's web UI lets unauthenticated attackers run code via HTTP requests. Neither is confirmed exploited yet, but Fortinet products have a long exploitation history - CISA flagged FortiClient EMS as actively exploited in April. FortiSandbox is the threat-detection backbone for many Fortinet-centric SOCs; FortiAuthenticator gates MFA and SSO.
Day-after recovery: a PoC exploit for a critical vulnerability in Fortinet's FortiSandbox product has been publicly available since April 17. CVE-2026-39808 allows an unauthenticated attacker to execute arbitrary code on affected appliances via the web management interface. FortiSandbox is Fortinet's network-based malware analysis product used to inspect suspicious files before they reach endpoints. Because it sits in the malware analysis path, a compromised FortiSandbox gives attackers visibility into every suspicious file your environment has flagged, including real phishing attempts and incident samples. The PoC release doesn't indicate confirmed in-the-wild exploitation yet, but based on recent patterns the window between public PoC and mass scanning is typically measured in hours. CISA has not yet added this to KEV.