Cybersecurity firm **Defused** has reported active exploitation of several critical vulnerabilities within **Fortinet**'s **FortiSandbox** platform. These exploits surfaced shortly after **Fortinet** released security updates for the issues on April 14. ### Critical Vulnerabilities Under Active Exploitation The vulnerabilities, tracked as **CVE-2026-39813**, **CVE-2026-39808**, and **CVE-2026-25089**, are all rated as critical severity. They enable unauthenticated attackers to execute unauthorized code remotely and escalate privileges through low-complexity command injection attacks, requiring no user interaction. **Defused** confirmed the exploitation, stating, "We are observing exploitation of multiple **Fortinet FortiSandbox** vulnerabilities during the past 24 hours, including: **CVE-2026-39813** (no previous recorded exploitation), **CVE-2026-39808**, **CVE-2026-25089** (vibecoded, likely faulty exploit)." The company also noted that a working exploit for **CVE-2026-25089** has not yet been publicly disclosed. Admins are strongly advised to upgrade their **FortiSandbox** deployments to the latest versions immediately to block these incoming attacks. ### A History of Fortinet Exploits This isn't the first time **Fortinet** products have been targeted. In April, **Fortinet** also highlighted a medium-severity path traversal vulnerability, **CVE-2025-61624**, which was exploited in the wild. While this flaw requires high privileges for successful exploitation, it was likely chained with another security issue. **Fortinet** security flaws are frequently leveraged in sophisticated attacks, including **ransomware campaigns** and **cyber espionage**, often serving as initial access points into target networks. Earlier this year, **Fortinet** addressed another critical **FortiSandbox** vulnerability, **CVE-2026-26083**, which allowed remote code execution. In February, a critical SQL injection flaw, **CVE-2026-21643**, in the **FortiClient Enterprise Management Server (EMS)** platform was also patched and subsequently flagged by **Defused** as actively exploited. The **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** even issued an emergency directive on April 13, ordering federal agencies to patch their **FortiClient EMS** instances against attacks targeting **CVE-2026-21643**. **CISA** currently lists 26 **Fortinet** vulnerabilities in its Known Exploited Vulnerabilities Catalog, with 13 of these having been abused by ransomware gangs, underscoring the critical importance of timely patching for **Fortinet** users.