Emerging ThreatsMalware & Ransomware

Fortinet FortiSandbox Flaws Targeted by Attackers in Wide-Ranging Exploits

Analyst 207||Source: TheHackerNews
Security device on a rack surrounded by networking equipment in a well-lit IT room.

"has observed exploitation of CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 over the past 24 hours," Defused Cyber said in a post shared on X.

Multiple FortiSandbox flaws being exploited, per Defused Cyber

Threat intelligence firm Defused Cyber reported that bad actors are actively exploiting three distinct Fortinet FortiSandbox vulnerabilities within a compressed timeframe. The three tracked identifiers are CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089. Each carries a CVSS score of 9.1, and Defused Cyber said it observed exploitation activity "over the past 24 hours."

CVE-2026-39813 and CVE-2026-39808 — high-severity flaws patched in April 2026

CVE-2026-39813 is described as a path traversal vulnerability in the FortiSandbox JRPC API that could allow an unauthenticated attacker to bypass authentication using specially crafted HTTP requests. CVE-2026-39808 is an operating-system command injection that could enable unauthenticated attackers to execute unauthorized code or commands via crafted HTTP requests. Fortinet issued patches for both of these vulnerabilities in April 2026.

CVE-2026-25089 — patched last week, exploit shows AI development signals but is faulty

Fortinet fixed CVE-2026-25089 "last week," characterizing it as an operating-system command injection affecting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI. Like the others, the flaw could allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests. Defused Cyber noted that the exploit observed for CVE-2026-25089 shows signs of having been developed using an artificial intelligence model, but the observed exploit is faulty. Importantly, a working exploit for CVE-2026-25089 "has not been publicly disclosed," according to the reporting.

Fortinet appliances as recurring targets — April 2026 FortiClient EMS patch

Vulnerabilities in Fortinet appliances have attracted attention before. In April 2026, Fortinet released out-of-band patches for a critical security flaw impacting FortiClient EMS (CVE-2026-35616, CVSS score: 9.1). Fortinet stated that CVE-2026-35616 "has been exploited in the wild." That recent history frames the current activity against FortiSandbox: multiple high-severity defects, rapid patching, and observed exploitation attempts in short order.

What this means for technologists, affected enterprises, and adversaries

  • Technologists and security teams: Confirm that the April 2026 patches for CVE-2026-39813 and CVE-2026-39808 have been applied, and verify that the recent fix for CVE-2026-25089 is installed across FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI deployments.
  • Affected enterprises and procurement leaders: Inventory any FortiSandbox-related assets and services to ensure coverage by the relevant patches; treat the presence of multiple high-severity CVEs with coordinated remediation and validation.
  • Adversaries and threat actors: The observed exploit for CVE-2026-25089 indicates experimentation with AI-assisted exploit development, but the published sample is faulty and a working public exploit has not appeared.

Defused Cyber's 24‑hour observation underscores two competing realities: the defensive side has working patches in place for the three high-severity FortiSandbox flaws, yet attackers are actively testing or attempting exploitation. The record shows a faulty, apparently AI-derived attempt for CVE-2026-25089 and prior evidence that Fortinet appliances have been targeted and patched out-of-band. Whether adversaries will refine the faulty CVE-2026-25089 exploit into a reliable weapon — or publish a working proof-of-concept — remains the immediate operational question for defenders to watch.

Original story at The Hacker News

Emerging ThreatsThreat IntelligenceZero-DayVulnerability ExploitationCVE-2026-39813CVE-2026-39808CVE-2026-25089Fortinet Fortisandbox
Related Intelligence

Continue Reading

Office workers at desks with laptops and phones, Microsoft Teams logo visible in background.

DragonForce Ransomware Exploits Microsoft Teams to Facilitate Months-Long Breach

Meet Backdoor.Turn, a sneaky new threat that uses Microsoft Teams to hide its tracks and wreak havoc on your network for months on end - and it's surprisingly sophisticated. This Go-based RAT masquerades as legit traffic by exploiting Teams' TURN relay servers.

Analyst 207
Rack of computer servers in a data center with a server control panel interface on screen.

CISA Warns of Actively Exploited cPanel Plugin Flaw

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a critical cPanel plugin flaw, CVE-2026-54420, that's being actively exploited by hackers, posing a significant risk to all user-end plugin versions prior to 2.4.8. This vulnerability allows attackers to escalate privileges to root, putting your online security at risk.

Analyst 207
Cluttered office desk with a Windows laptop, papers, and supplies, near a window with a blurred network router in the…

China-Linked SprySOCKS Backdoor Targets Windows with Driver-Based Stealth

ESET has uncovered a Windows variant of the SprySOCKS backdoor, previously thought to only affect Linux, marking a significant expansion of its capabilities. This new variant, version 1.8, uses driver-based stealth and can communicate through TCP, UDP, and WebSocket channels.

Analyst 207
Blurred laptop screen showing Microsoft Teams on a plain surface with office supplies nearby.

Ransomware Gang Exploits Microsoft Teams to Conceal Malicious Traffic

Meet Backdoor.Turn, a sneaky new malware that's abusing Microsoft Teams to hide its malicious activities - and it's a game-changer for cyber threats. This clever RAT uses Teams' own infrastructure against us, making it harder to spot its secret communications.

Analyst 207