CISA Mandates Urgent Patching for Actively Exploited FortiSandbox Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) has issued a directive for federal agencies to immediately patch two critical-severity vulnerabilities in **Fortinet**'s **FortiSandbox** threat detection platform. These flaws, **CVE-2026-39808** and **CVE-2026-25089**, are actively being exploited in the wild, posing a significant risk of remote code execution.
The **CISA** on Thursday ordered U.S. government agencies to prioritize patching two actively exploited vulnerabilities impacting the **Fortinet FortiSandbox** threat detection platform.
These critical-severity security flaws, tracked as **CVE-2026-39808** and **CVE-2026-25089**, were addressed by **Fortinet** in advisories issued on April 14 and June 9, respectively.
## Unauthenticated Remote Code Execution
According to **Fortinet**'s security advisories, successful exploitation of these vulnerabilities allows unauthenticated threat actors to execute unauthorized code remotely. This is achieved through low-complexity command injection attacks that require no user interaction.
To mitigate these issues and prevent potential attacks, administrators are urged to upgrade all affected deployments to the latest available versions.
## In-the-Wild Exploitation Confirmed
While **Fortinet** had not officially confirmed in-the-wild exploitation at the time of the initial advisories, threat intelligence company **Defused** revealed on June 16 that attackers had already begun abusing these flaws.
**Defused** stated, "We are observing exploitation of multiple **Fortinet FortiSandbox** vulnerabilities during the past 24 hours, including: **CVE-2026-39813** (no previous recorded exploitation), **CVE-2026-39808**, **CVE-2026-25089** (vibecoded, likely faulty exploit)."
**CISA** subsequently confirmed the active exploitation of these vulnerabilities, adding them to its **Known Exploited Vulnerabilities Catalog**. Under Binding Operational Directive (BOD) 26-04, U.S. federal agencies must patch vulnerable **FortiSandbox** instances by Sunday, July 19.
## A History of Exploited Fortinet Vulnerabilities
This incident is not an isolated one for **Fortinet**. In February, the company patched **CVE-2026-21643**, a critical SQL injection vulnerability in the **FortiClient Enterprise Management Server (EMS)** platform, which **Defused** flagged as actively exploited a month later.
Two months after that, **Fortinet** addressed another actively exploited security issue: **CVE-2025-61624**, a path traversal vulnerability that could allow authenticated attackers to escalate privileges.
**Fortinet** vulnerabilities are frequently targeted in cyber espionage campaigns and ransomware attacks, often as zero-days. **CISA** currently tracks 28 **Fortinet** vulnerabilities that have been exploited in attacks in recent years, with 13 of those also being leveraged in ransomware incidents.