Fortinet FortiSandbox Critical Vulnerabilities Under Active Exploitation
Attackers actively exploiting CVE-2026-39808 and CVE-2026-39813 in Fortinet FortiSandbox since June, with 49 exploitation events observed across 11 IPs from 9 countries.
Attack Brief
TargetFortinet FortiSandboxVectorOS command injection and path traversal vulnerabilities enabling authentication bypass and arbitrary command executionAttributionMultiple independent operators on commodity infrastructure
Technical Details
CVE IDsCVE-2026-39808CVE-2026-39813CVE-2026-25089MITRE ATT&CKT1078T1548T1059
Impact
SectorsEnterprise securityConfirmed DamagePost-exploitation activity including verification and reconnaissance observed; potential for lateral movement within security-sensitive environmentsGeographyChinaSouth KoreaTaiwanIndiaSingaporeGermanyNetherlandsCanadaBulgaria
Mitigation
PatchesCVE-2026-39808 patched April 2026CVE-2026-39813 patched April 2026CVE-2026-25089 patched June 9, 2026
Context
Similar AttacksCISA has flagged 26 Fortinet vulnerabilities in known exploited vulnerabilities catalog since 2021
Source
https://cyberscoop.com/fortinet-fortisandbox-vulnerabilities-exploits/by CyberScoopon 2026-06-17T00:00:00Z2 sources