"We are observing exploitation of multiple Fortinet FortiSandbox vulnerabilities during the past 24 hours, including: CVE-2026-39813 (no previous recorded exploitation), CVE-2026-39808, CVE-2026-25089 (vibecoded, likely faulty exploit)," Defused warned on Monday.
Which FortiSandbox flaws are being attacked now
Defused, a threat intelligence company, says attackers are actively exploiting several critical vulnerabilities in Fortinet's FortiSandbox platform. The vulnerabilities named are CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089. Fortinet issued security updates for those three critical-severity flaws on April 14. Defused added that, per its research, "a working exploit for CVE-2026-25089 has not yet been publicly disclosed," while noting exploitation activity across the set.
How the vulnerabilities function and why they are urgent
According to the advisory material, the three flaws permit unauthenticated threat actors to escalate privileges and execute unauthorized code remotely. They can be triggered through low-complexity command-injection attacks that "require no user interaction." That combination — unauthenticated access, remote code execution, privilege escalation, and low exploit complexity — raises the immediate risk to unpatched FortiSandbox deployments. The advisory to administrators is direct: upgrade affected deployments to the latest released versions to block incoming attacks.
Patch history and related Fortinet fixes
Fortinet has released a series of recent patches across its product set. In addition to the April 14 updates covering the three FortiSandbox flaws, Fortinet "most recently" released security updates addressing another critical FortiSandbox vulnerability, CVE-2026-26083, which could permit remote code execution on unpatched systems. Earlier in the year, Fortinet patched a critical SQL injection issue in FortiClient Enterprise Management Server (EMS), CVE-2026-21643; Defused flagged active exploitation of that EMS flaw a month after Fortinet's February patch.
Fortinet also flagged a medium-severity path traversal vulnerability, CVE-2025-61624, as being exploited in the wild in April. That flaw can enable authenticated attackers to escalate privileges, but Fortinet noted successful exploitation required high privileges on the targeted systems, implying it was likely chained with another vulnerability.
CISA, exploitation tracking, and the broader pattern
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies on April 13 to secure their FortiClient EMS instances against attacks targeting CVE-2026-21643 within three days. CISA currently tracks 26 Fortinet vulnerabilities that have been exploited in attacks in recent years; 13 of those tracked flaws were abused by ransomware gangs. The source material also observes that Fortinet vulnerabilities are frequently leveraged in ransomware attacks — sometimes as zero-day bugs — and in cyber espionage operations aimed at breaching networks.
What this means for security teams, federal agencies, and adversaries
- Security teams and administrators: The immediate action spelled out in the advisory is to upgrade affected FortiSandbox deployments to the latest released versions. Given the reported lack of required user interaction and the low complexity of these attacks, fast patching is the primary defense described in the available reporting.
- Federal agencies and compliance officers: The April 13 CISA order to secure FortiClient EMS instances over CVE-2026-21643 illustrates that federal entities have already been placed on an abbreviated mitigation timeline for at least one recent Fortinet flaw; similar urgency is implied by the current exploitation activity against FortiSandbox.
- Adversaries and ransomware operators: The reporting reiterates that Fortinet products have been a recurring target for ransomware gangs and espionage campaigns. The combination of actively exploited critical flaws and previously tracked, routinely abused Fortinet vulnerabilities presents an attractive vector for actors seeking remote access or privilege escalation.
BleepingComputer reached out to Fortinet to confirm reports of active exploitation, but "a response was not immediately available," according to the source. The reporting also notes an operational detection gap: "Security teams log 54% of successful attacks and alert on just 14%," a statistic cited from a Picus whitepaper linked in the original report.
The factual record in the advisory is stark: multiple critical FortiSandbox flaws patched in April are now being exploited, and one of the three observed CVEs had no previously recorded exploitation. Administrators running FortiSandbox are left with a binary choice framed by the advisory — upgrade to the latest versions or risk exposure to remote code execution and privilege escalation attacks that, by the report's account, require neither user interaction nor complex exploits.
