FORTINET is facing active exploitation of three critical vulnerabilities in its FortiSandbox software, confirmed by cybersecurity firm Defused Cyber. Two of these vulnerabilities were reportedly unpatched for two months, while the third had a patch released only the previous week. The vulnerabilities, CVE-2026-39813 and CVE-2026-39808, both have a CVSS score of 9.1 and allow unauthenticated code execution through specially crafted HTTP requests.
A third flaw, CVE-2026-25089, described as an OS command injection, is notable for having attacks that appear to be assisted by AI, although the exploit may also be flawed. The rapid exploitation of these vulnerabilities highlights issues in patch management within organizations using Fortinet products.