Skip to main content
Emerging Threats

CISA Orders Emergency Patch for Exploited Fortinet Vulnerabilities

Technician applies security patch to computer system, symbolizing vulnerability fix.

CISA added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on July 16 and ordered federal agencies to have patches or mitigations in place by July 19 — a three-day window that underscores how quickly the agency judged these flaws to be dangerous in practice.

CVE-2026-39808: OS command injection in FortiSandbox 4.4.0–4.4.8

Tracked as CVE-2026-39808, this flaw was detected by Samuel de Lucas Maroto of KPMG Spain and disclosed by Fortinet on April 14. The vulnerability is an operating system command injection affecting Fortinet’s FortiSandbox versions 4.4.0 through 4.4.8. When exploited, it allows an attacker to execute unauthorized code or commands. Fortinet released a patch addressing the issue in FortiSandbox version 4.4.9. The vulnerability carries a CVSS severity rating of 9.1.

CVE-2026-25089: Unauthenticated command injection across FortiSandbox and Cloud/PaaS

CVE-2026-25089 was identified by Adham El Karn of the Fortinet Product Security team and disclosed on June 9. It is also an OS command injection vulnerability and affects a broader set of FortiSandbox deployments: FortiSandbox versions 5.0.0 to 5.0.5, 4.4.0 to 4.4.8, and all 4.2 versions; FortiSandbox Cloud versions 5.0.4 to 5.0.5; and FortiSandbox PaaS versions 5.0.4 to 5.0.5. Fortinet said that an unauthenticated attacker can execute unauthorized commands via specifically crafted HTTP requests. The company issued fixes in FortiSandbox versions 4.4.9 and 5.0.6. This flaw also carries a CVSS score of 9.1.

CISA mandate to federal agencies and the KEV designation

The US Cybersecurity and Infrastructure Security Agency required US federal agencies to apply the mitigations and patches Fortinet published, and it added both CVE-2026-39808 and CVE-2026-25089 to its Known Exploited Vulnerabilities catalog on July 16, signaling observed exploitation in the wild. CISA told agencies to roll out patches across the federal government by July 19. For cloud-based services where mitigations are unavailable, CISA advised that agencies discontinue use of the affected product.

Fortinet’s patches and the immediate technical posture

Fortinet’s remediation timeline in the public record shows patched builds: FortiSandbox 4.4.9 for the 4.4.x line and FortiSandbox 5.0.6 for the 5.0.x line. Those are the specific releases identified by Fortinet as resolving the two command-injection bugs. The two vulnerabilities share identical high severity ratings (CVSS 9.1), and Fortinet’s updates are the vendor-published fixes CISA directed agencies to deploy.

What this means for technologists, federal agencies, and cloud customers

  • Technologists and security teams: Verify FortiSandbox versions in inventory against the affected lists (4.4.0–4.4.8; 5.0.0–5.0.5; all 4.2 versions) and prioritize updates to FortiSandbox 4.4.9 or 5.0.6 where applicable.
  • Federal agencies and CISA compliance officers: Meet the July 19 directive by applying Fortinet’s patches or implementing mitigations; discontinue cloud-based FortiSandbox services if no mitigation is available, per CISA guidance.
  • Cloud customers and procurement leads: Confirm whether their FortiSandbox deployments are Cloud or PaaS instances in the affected version ranges (Cloud/PaaS 5.0.4–5.0.5) and follow vendor guidance or discontinue service when mitigations are not provided.

CISA has not confirmed whether the two FortiSandbox vulnerabilities have been used in ransomware campaigns, and the agency’s KEV listing is the public sign that exploitation has been observed. With vendor patches published and a federal deadline imminent, the immediate question is whether organizations outside the federal perimeter will move as quickly to apply the same updates or to decommission affected cloud offerings where mitigations are lacking.

Original story