Cybersecurity firm **Defused Cyber** has observed active exploitation of multiple security vulnerabilities in **Fortinet FortiSandbox** appliances. The exploits, reported on X, target **CVE-2026-39813**, **CVE-2026-39808**, and **CVE-2026-25089**. **CVE-2026-39813** (CVSS score: 9.1) is a path traversal vulnerability in the **FortiSandbox** JRPC API. This flaw allows an unauthenticated attacker to bypass authentication through specially crafted HTTP requests. **CVE-2026-39808** (CVSS score: 9.1) is an operating system command injection vulnerability. It enables an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests. Both of these vulnerabilities were patched by **Fortinet** in April 2026. The third flaw, **CVE-2026-25089** (CVSS score: 9.1), also an operating system command injection, impacts **FortiSandbox**, **FortiSandbox Cloud**, and **FortiSandbox PaaS WEB UI**. It allows unauthenticated attackers to execute unauthorized commands via specifically crafted HTTP requests and was patched last week. **Defused Cyber** noted that the exploit for **CVE-2026-25089** shows signs of being developed with an artificial intelligence (AI) model, though it is currently faulty. A functional public exploit for this specific vulnerability has not yet been disclosed. This string of exploits follows a trend of **Fortinet** appliances being a prime target for attackers. In April 2026, **Fortinet** released out-of-band patches for **CVE-2026-35616** (CVSS score: 9.1), a critical flaw in **FortiClient EMS** that was actively exploited in the wild. ### FortiBleed Compromises Over 30,000 Fortinet Firewalls Adding to **Fortinet**'s challenges, **SOCRadar** has disclosed a large-scale campaign, dubbed 'FortiBleed,' suspected to be orchestrated by Russian-speaking threat actors. This campaign has reportedly compromised over 30,000 **Fortinet** firewalls across 194 countries. **SOCRadar** uncovered this activity after identifying an operational server linked to the campaign. "The attacker's database contains login credentials for more than 30,791 devices belonging to companies and government organizations across 194 countries," **SOCRadar** stated. "These are not random guesses. These are verified, working usernames and passwords, tested and confirmed by the attackers themselves using automated tools running around the clock." The compromised devices include critical infrastructure such as banks, telecom operators, hospitals, universities, government agencies, energy companies, and multinational corporations. India, the U.S., Mexico, Colombia, Thailand, Taiwan, Indonesia, Malaysia, Singapore, and France are among the top 10 most affected nations, with India accounting for 60% of all internet-exposed **Fortinet** deployments in the government sector. The attackers employ a two-step approach: "First, they try a list of previously leaked **Fortinet** passwords against devices across the internet – many organizations never changed passwords after earlier breaches. Second, once inside a device, they passively monitor network traffic to collect additional credentials as they pass through. Those are then used to compromise even more devices." ### Update: FortiBleed Campaign Expands Scope In a follow-up analysis published on June 17, 2026, **Hudson Rock** reported that the 'FortiBleed' campaign has "successfully targeted 73,932 unique firewall URLs across 194 countries, resulting in 21,632 unique affected domains." **Volodymyr "Bob" Diachenko** initially flagged details of this activity on LinkedIn. **Diachenko** described the operation as a "Russian-speaking multi-operator group conducting large-scale credential harvesting against **Fortinet FortiGate SSL VPN** appliances worldwide." He added, "The operation processed 1.16 billion credential attempts against 320,777 **FortiGate** targets and 2.1 billion attempts against 163,650 **MS-SQL** servers." The group's tactics extend beyond simple credential reuse. Attackers are believed to intercept **SSL-VPN** authentication, crack hashes using a 45-GPU cluster managed via **Hashtopolis**, and then pivot into internal **Active Directory** environments for further exploitation and persistence. The attackers are suspected of scanning internet-exposed **Fortinet** instances to breach them using known password lists. Successful logins allow them to establish listening posts on compromised devices, capturing additional credentials and perpetuating a "continuous loop of unauthorized access." "A particularly alarming detail from this dataset is the high volume of extremely complex passwords that were successfully compromised," **Hudson Rock** noted. "However, complexity is completely neutralized when passwords are recovered in plaintext. If the attackers are recycling known plaintext credentials to bypass perimeters, complexity policies offer no protection." Ghost Protocol has reached out to **Fortinet** for comment and will update this story as more information becomes available.