CVE-2026-39808 and CVE-2026-25089 — both scored 9.1 — have been added to CISA’s Known Exploited Vulnerabilities catalog after the agency concluded there is evidence the two FortiSandbox flaws are being actively exploited.
The bugs: CVE-2026-39808 and CVE-2026-25089
Both vulnerabilities are OS command injection flaws that affect FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. Fortinet’s advisories state the bugs allow unauthenticated attackers to execute arbitrary commands via specially crafted HTTP requests, requiring neither valid credentials nor user interaction. Fortinet warned at the time of the fixes that successful exploitation could lead to remote code execution via low-complexity attacks.
Fortinet released a fix for CVE-2026-39808 in April and for CVE-2026-25089 in June. Despite those advisories, Fortinet has not publicly confirmed that either flaw is being exploited in the wild and, according to The Register, did not respond to questions about exploitation.
CISA’s KEV listing and the federal patching directive
CISA’s addition of the two FortiSandbox bugs to its Known Exploited Vulnerabilities (KEV) catalog is significant because the agency treats inclusion as evidence the vulnerabilities are being actively exploited. The agency, however, “rarely attributes attacks or discloses how widespread they are.”
For federal civilian agencies the listing triggers an operational requirement: Binding Operational Directive 26-04 obliges agencies to patch within CISA’s deadlines or to remove or otherwise mitigate vulnerable products if they cannot be adequately secured. That directive turns the KEV notice into a hard deadline for agencies running affected FortiSandbox products.
Observed exploitation activity: Defused and the exploit landscape
Security firm Defused reported observing exploitation attempts against both CVE-2026-39808 and CVE-2026-25089 this week, alongside activity targeting another FortiSandbox vulnerability, CVE-2026-39813. Defused noted, however, that not every exploit attempt appears to be functioning.
In particular, Defused described the exploit targeting CVE-2026-25089 as “vibecoded” and likely broken, and said it has yet to see a working public exploit. Those observations suggest active reconnaissance and probing, but they do not establish broad, successful compromise at scale based on the available reporting.
Microsoft SharePoint Server CVE-2026-58644 also flagged
In the same KEV update, CISA flagged a separate critical concern: Microsoft’s SharePoint Server bug CVE-2026-58644. That vulnerability is a critical deserialization flaw rated 9.8 that allows authenticated attackers with Site Owner privileges to execute arbitrary code remotely against vulnerable SharePoint servers.
Microsoft warned the SharePoint Server bug “can be exploited remotely over the internet with relatively little effort,” making it a priority for administrators to apply the vendor’s patches promptly.
What this means for technologists, federal agencies, and enterprise security teams
- Technologists and security teams: The immediate task is to confirm whether you run FortiSandbox, FortiSandbox Cloud, or FortiSandbox PaaS and to verify that the April (CVE-2026-39808) and June (CVE-2026-25089) updates have been applied. The public reports of exploitation attempts, including those observed by Defused, mean defenders should monitor logs for suspicious HTTP requests that might match the described injection vectors.
- Federal agencies: Binding Operational Directive 26-04 sets firm obligations. Agencies that cannot apply mitigations within CISA’s deadlines must remove or otherwise mitigate affected FortiSandbox instances to comply with the directive. CISA’s KEV inclusion provides the formal trigger for those actions.
- Enterprise security and procurement leaders: Even though Fortinet has not publicly marked the flaws as exploited and did not respond to The Register’s questions, CISA’s KEV listing signals active exploitation evidence. Procurement and risk teams should evaluate exposure across cloud and PaaS deployments and prioritize mitigation or isolation of vulnerable appliances.
Conclusion: patches exist and evidence of probing and attempted exploitation has prompted CISA to elevate the two FortiSandbox defects into its KEV catalog, placing immediate obligations on federal agencies and a clear call to action for administrators elsewhere. Defused’s assessment that at least one public exploit appears broken complicates the picture: activity is real, but successful exploitation at scale is not established in the reporting. Fortinet’s decision not to mark the advisories as exploited and its lack of public comment leave open a concrete question for defenders and regulators alike — how widespread and effective are these attacks, and how quickly will affected operators move from patching to verification?




