Skip to main content
Emerging ThreatsMalware & Ransomware

CISA Warns of Actively Exploited Fortinet Flaws

Network security appliance sits on a table in a government agency setting.

"We are observing exploitation of multiple Fortinet FortiSandbox vulnerabilities during the past 24 hours, including: CVE-2026-39813 (no previous recorded exploitation), CVE-2026-39808, CVE-2026-25089 (vibecoded, likely faulty exploit)," warned threat intelligence company Defused.

CISA issues a federal patching deadline under BOD 26-04

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to prioritize patching two actively exploited vulnerabilities in the Fortinet FortiSandbox platform and added the flaws to its catalog of known exploited vulnerabilities. Under Binding Operational Directive 26-04, agencies must remediate vulnerable FortiSandbox instances by Sunday, July 19. CISA’s placement of the flaws on the known-exploited list triggered the mandatory federal deadline.

The two FortiSandbox flaws: CVE-2026-39808 and CVE-2026-25089

Fortinet released fixes for the two critical-severity flaws on April 14 and June 9, respectively. According to Fortinet’s security advisories, successful exploitation permits unauthenticated threat actors to execute unauthorized code remotely via low-complexity command-injection attacks that require no user interaction. Fortinet’s guidance — echoed in CISA’s advisory — is that administrators must upgrade all affected deployments to the latest released versions to resolve the issues and block incoming attacks.

Evidence of exploitation and vendor response

Defused reported on June 16 that attackers had started abusing these FortiSandbox flaws in the wild, and CISA later confirmed active exploitation. BleepingComputer noted that Fortinet has not yet publicly tagged those two vulnerabilities as used in attacks and had not replied to its emails about in-the-wild exploitation. Defused’s June statement also called out CVE-2026-39813 as newly observed in exploitation during the same window.

Context from recent Fortinet patches and tracked exploitation

The advisory comes amid a string of recent Fortinet fixes that were later tied to real-world exploitation. Fortinet patched a critical SQL injection vulnerability (CVE-2026-21643) in the FortiClient Enterprise Management Server platform in February; Defused flagged that flaw as actively exploited a month later. Two months after that, Fortinet addressed a path traversal vulnerability (CVE-2025-61624) that can allow authenticated attackers to escalate privileges and which had also been exploited in attacks, according to the record cited in the advisories.

CISA tracks 28 Fortinet vulnerabilities that have been exploited in attacks in recent years; 13 of those have also been abused in ransomware operations. The advisories and tracking underscore a recurring pattern for Fortinet products in both cyber espionage campaigns and ransomware attacks, often involving high-severity issues and, in some cases, zero-day exploitation.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: Upgrade all affected FortiSandbox deployments to the latest released versions immediately to block the unauthenticated command-injection vectors described in Fortinet’s advisories. The federal deadline of July 19 applies to U.S. agencies and serves as a firm benchmark for prioritized patching.
  • Policymakers and regulators: CISA’s addition of the flaws to its known exploited vulnerabilities catalog and the use of BOD 26-04 to set a remediation deadline demonstrates the mechanism regulators are using to force rapid mitigation when exploitation is observed in the wild.
  • Affected enterprises and procurement leaders: Fortinet released fixes on April 14 and June 9; organizations that delayed upgrading are now facing confirmed exploitation reported by Defused and affirmed by CISA. Procurement and risk teams should account for the historical pattern—28 tracked exploited Fortinet flaws, 13 tied to ransomware—when assessing vendor risk and patching SLAs.

The facts are straightforward: Fortinet published fixes in April and June; Defused reported active exploitation in mid-June; CISA has confirmed the flaws are exploited and set a federal remediation deadline of July 19. What remains unsettled in the public record is Fortinet’s own attribution in this instance — the company has not yet labeled the April- and June-patched FortiSandbox bugs as seen in attacks nor responded to BleepingComputer’s inquiries about in-the-wild exploitation. With the federal deadline now set, that technical and procedural gap is likely to narrow as agencies and organizations move to upgrade affected systems.

Original story