THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated urgent patches for two critical vulnerabilities in Fortinet's FortiSandbox, identified as CVE-2026-39808 and CVE-2026-25089, both rated 9.1 on the CVSS scale. These vulnerabilities enable unauthorized command execution when exploited. CISA has added these flaws to its Known Exploited Vulnerabilities catalog and requires federal agencies to implement patches by July 19, 2026.
Additionally, CISA advised discontinuing the use of affected cloud services if patches are not feasible. Fortinet has released corresponding patches in versions 4.4.9 and 5.0.6.