“The spread and the share proof-of-concepts point to multiple independent operators on commodity infrastructure, not one campaign,” Simo Kohonen, founder and CEO of Defused, told CyberScoop.
What researchers observed and when
Security researchers reported active exploitation of two critical vulnerabilities in Fortinet's FortiSandbox product after the vendor disclosed and patched them in April. VulnCheck first observed exploitation of CVE-2026-39808, an OS‑command injection defect, on June 9. Defused confirmed exploitation of the same flaw on June 11 and then observed exploitation of CVE-2026-39813, a path‑traversal vulnerability, on June 15. Defused also reported attempts to exploit a third FortiSandbox vulnerability, CVE-2026-25089, which Fortinet disclosed and patched on June 9.
Scope of activity: events, IPs and geography
Defused traced 49 exploitation events from 11 distinct IP addresses over a six‑day period, and attributed malicious activity to 13 sources originating from nine countries: China, South Korea, Taiwan, India, Singapore, Germany, the Netherlands, Canada and Bulgaria. Researchers emphasized that the pattern of proof‑of‑concepts and distribution suggests multiple independent operators rather than a single coordinated campaign, a point Kohonen reiterated to CyberScoop.
How the exploits behave and what attackers do after access
Researchers observed the exploits bypassing authentication, escalating privileges and allowing execution of arbitrary commands. While teams have not seen evidence that attackers are chaining the newly observed vulnerabilities together, they reported that the exploits are functioning with one another in practice. Post‑exploitation activity seen so far has included verification and reconnaissance — actions that Defused and other researchers said usually precede a heavier wave of attacks.
Why FortiSandbox matters to defenders
Researchers warned that FortiSandbox is a high‑value target within enterprise security architectures. Simo Kohonen told CyberScoop that “FortiSandbox is high‑value because it ingests from and connects to other Fortinet devices.” Chris Doyle, head of security and compliance at JupiterOne, explained via email that “sandbox appliances are typically trusted systems used to analyze suspicious content and support broader detection workflows, which means a compromise could provide attackers with elevated access within a security sensitive environment.” Multiple research firms also reported seeing the exploit activity in honeypots, signaling that attackers are actively testing or weaponizing proof‑of‑concepts against emulated targets.
What this means for Fortinet customers, policymakers, and security teams
- Fortinet customers: Researchers have not yet determined how many Fortinet customers are directly impacted. The observed reconnaissance and verification activity indicates customers running FortiSandbox should assume elevated risk until mitigations are applied.
- Policymakers and regulators: The Cybersecurity and Infrastructure Security Agency (CISA) has flagged 26 Fortinet vulnerabilities in its known exploited vulnerabilities catalog since 2021; as of Wednesday, the agency hadn’t added any of the new Fortinet defects to its catalog.
- Security operations teams: Because the exploits enable arbitrary command execution and privilege escalation and because sandbox appliances typically sit at a high trust level, teams should prioritize detection and containment measures for FortiSandbox instances and monitor for the reconnaissance behaviors researchers reported.
Fortinet disclosed and patched CVE-2026-39808 and CVE-2026-39813 in April, and disclosed and patched CVE-2026-25089 on June 9. The company did not confirm exploitation of the defects in published reports and did not respond to a request for comment, according to the reporting.
The incidents recorded to date — dozens of events across multiple IPs and countries, plus attempts against a recently patched June vulnerability — mark the early stages of a developing situation. Researchers note the pattern of activity and the role FortiSandbox plays in enterprise environments make continued monitoring and rapid patching important next steps. The record so far leaves open how many production FortiSandbox deployments have been breached and whether attackers shift from reconnaissance to more destructive or data‑exfiltration actions.
Source: https://cyberscoop.com/fortinet-fortisandbox-vulnerabilities-exploits/
