CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 16, 2026

Critical Fortinet FortiSandbox Vulnerabilities Actively Exploited in Attacks

Cybersecurity News Archived Jun 16, 2026 ✓ Full text saved

Threat actors are actively exploiting multiple critical vulnerabilities in Fortinet’s FortiSandbox platform, with live attack telemetry confirming exploitation attempts over the past 24 hours. Defused has flagged three CVEs under active targeting — including one, CVE-2026-39813, with no previously recorded exploitation history. Honeypot sensors and deception infrastructure disguised as Fortinet FortiSandbox instances have captured exploitation […] The post Critical Fortinet FortiSandbox Vulnerab

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Critical Fortinet FortiSandbox Vulnerabilities Actively Exploited in Attacks By Guru Baran June 16, 2026 Threat actors are actively exploiting multiple critical vulnerabilities in Fortinet’s FortiSandbox platform, with live attack telemetry confirming exploitation attempts over the past 24 hours. Defused has flagged three CVEs under active targeting — including one, CVE-2026-39813, with no previously recorded exploitation history. Honeypot sensors and deception infrastructure disguised as Fortinet FortiSandbox instances have captured exploitation attempts across three vulnerabilities, all triggered over port 443 via crafted POST requests to the /jsonrpc/ API endpoint. CVE-2026-39813 : A path traversal vulnerability (CWE-24) in the FortiSandbox JRPC API that allows an unauthenticated remote attacker to bypass authentication via specially crafted HTTP requests. By injecting traversal sequences such as session: "../../tmp/" into the API, attackers can access sensitive system data — including configuration backups, serial numbers, and version details — without any credentials. This CVE has no prior recorded exploitation in the wild, making this cluster of observed attacks a first-of-its-kind event. CVE-2026-39808: An OS command injection flaw (CWE-78) in a FortiSandbox API endpoint that allows unauthenticated attackers to execute arbitrary commands as root. A public proof-of-concept exploit has been available since April 2026, weaponizing the jid GET parameter via pipe-chained Unix commands. Attack payloads consistent with this PoC have now been observed in live exploitation attempts. CVE-2026-25089 : A second OS command injection vulnerability (CWE-78) affecting the FortiSandbox Web UI across versions 5.0.0–5.0.5, 4.4.0–4.4.8, 4.2 all versions, and FortiSandbox Cloud/PaaS deployments. Notably, no functional public exploit has been disclosed for this CVE. Observed exploitation attempts appear to be “vibecoded” — i.e., likely AI-assisted or heuristically generated exploits with faulty logic — suggesting opportunistic actors are probing without a validated working payload. Affected Versions CVE Affected Versions Fixed Version CVE-2026-39813 FortiSandbox 4.4.0–4.4.8, 5.0.0–5.0.5 4.4.9, 5.0.6+ CVE-2026-39808 FortiSandbox 4.4.0–4.4.8 4.4.9+ CVE-2026-25089 FortiSandbox 4.2 all versions, 4.4.0–4.4.8, 5.0.0–5.0.5; Cloud/PaaS 5.0.4–5.0.5 4.4.9, 5.0.6+ All three CVEs can be triggered without authentication through a single HTTP request, meaning exposed FortiSandbox management interfaces require zero pre-existing access to exploit. Fortinet FortiSandbox Flaws (Source: Defused) A compromised FortiSandbox can be weaponized to approve malicious files as clean to dependent Fortinet products or serve as a lateral movement pivot within enterprise networks. The attacker’s IP was observed in active exploitation 141.11.43[.]175 is attributed to AS136510 Streamline Servers Pty Ltd (Singapore) and carries a high-interest threat score. Indicators of Compromise (IOCs) Type Value Context Attacker IP 141.11.43.175 Observed exploit source ASN AS136510 Streamline Servers Pty Ltd, SG Target Port 443 HTTPS/JRPC API Target Endpoint /jsonrpc/ FortiSandbox API path User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36 Observed in live requests Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News India Temporarily Bans Telegram Messenger Over Medical Exam Fraud China-Nexus Hackers Use Backdoored PAM Modules for Credential Theft and Authentication Bypass Windows 11 Update KB5094126 Freezes Systems, Forces BitLocker Recovery, and More PRC-Nexus Hackers Exploit REDCap Servers to Spy on US Medical Research Institutions CISA Warns of Google Chromium 0-Day Vulnerability Exploited in Attacks Latest News Press Release Aembit Extends IAM for Agentic AI to Microsoft Copilot Studio Cyber Security India Temporarily Bans Telegram Messenger Over Medical Exam Fraud Cyber Security News Microsoft 365 Device Code Phishing Campaign Bypasses Password Theft With Legitimate Login Flow Press Release AppViewX Launches Agent Identity Security to Govern Agents for the AI and Quantum Era Cyber Security News Hackers Weaponize Microsoft Teams Relay to Hide Ransomware Traffic
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 16, 2026
    Archived
    Jun 16, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗