CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 16, 2026

Critical Fortinet FortiSandbox flaws now exploited in attacks

Bleeping Computer Archived Jun 16, 2026 ✓ Full text saved

Attackers are now exploiting several critical vulnerabilities in Fortinet's FortiSandbox cyber threat detection platform, according to threat intelligence company Defused. [...]

Full text archived locally
✦ AI Summary · Claude Sonnet


    Critical Fortinet FortiSandbox flaws now exploited in attacks By Sergiu Gatlan June 16, 2026 05:19 AM 0 Attackers are now exploiting several critical vulnerabilities in Fortinet's FortiSandbox cyber threat detection platform, according to threat intelligence company Defused. Fortinet released security updates for these three critical-severity security flaws (tracked as CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089) on April 14. These flaws allow unauthenticated threat actors to escalate privileges and execute unauthorized code remotely through low-complexity command injection attacks that require no user interaction. To resolve these issues and block incoming attacks, admins must upgrade affected deployments to the latest released versions. "We are observing exploitation of multiple Fortinet FortiSandbox vulnerabilities during the past 24 hours, including: CVE-2026-39813 (no previous recorded exploitation), CVE-2026-39808, CVE-2026-25089 (vibecoded, likely faulty exploit)," Defused warned on Monday. "Per our research a working exploit for CVE-2026-25089 has not yet been publicly disclosed." In April, Fortinet also flagged a medium-severity path traversal vulnerability (CVE-2025-61624) as exploited in the wild, a flaw that can let authenticated attackers escalate privileges. However, successful exploitation requires high privileges on the targeted systems, implying that it was very likely chained with another security issue. BleepingComputer reached out to Fortinet to confirm reports of active exploitation, but a response was not immediately available. Fortinet security flaws are often exploited in ransomware attacks (often as zero-day bugs) and in cyber espionage campaigns to breach the targets' networks. Most recently, Fortinet released security updates to address another critical vulnerability in FortiSandbox (CVE-2026-26083) that could let attackers achieve remote code execution on unpatched systems. In February, it also patched a critical SQL injection vulnerability (CVE-2026-21643) in the FortiClient Enterprise Management Server (EMS) platform, which Defused flagged as actively exploited one month later. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies on April 13 to secure their FortiClient EMS instances against attacks targeting the CVE-2026-21643 flaw within three days. In total, CISA tracks 26 Fortinet vulnerabilities that have been exploited in attacks in recent years, 13 of which were abused by ransomware gangs. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen. The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator Ivanti fixes EPMM zero-days chained in code execution attacks Hackers exploit RCE flaws in Qinglong task scheduler for cryptomining Max severity Ivanti Sentry vulnerability now exploited in attacks CISA gives feds three days to patch Ivanti flaw exploited as zero-day
    💬 Team Notes
    Article Info
    Source
    Bleeping Computer
    Category
    ◇ Industry News & Leadership
    Published
    Jun 16, 2026
    Archived
    Jun 16, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗