CISA KEV Alert 7/16/2026, 5:40:17 PM

CISA Adds CVE-2026-39808 to Known Exploited Vulnerabilities Catalogue

Developing story vulnerability 13 articles tracked
Fortinet devices compromised globally via exploited FortiSandbox vulnerabilities
CyberSIXT Evidence Panel Source marked as original reporting
Primary Source cisa.gov
CISA KEV Listed in KEV
Patch Patch Available

ON 16 July 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2026‑39808 to its Known Exploited Vulnerabilities (KEV) catalogue. The affected vendor is Fortinet and the product is FortiSandbox. The Fortinet FortiSandbox OS Command Injection Vulnerability allows an unauthenticated attacker to execute arbitrary commands via crafted HTTP requests.

The vulnerability is an OS command injection in the FortiSandbox web interface. Successful exploitation permits remote code execution with the privileges of the service. It carries a CVSS v3.1 base score of 9.1, rated Critical. Fortinet has published a patch; administrators should consult advisory FG‑IR‑26‑100 for remediation steps.

CISA’s inclusion confirms that active exploitation of this flaw has been observed. No evidence links the vulnerability to ransomware use at present. Federal Civilian Executive Branch (FCEB) agencies must complete the required mitigations by 19 July 2026, the remediation due date specified by CISA.

CISA directs FCEB agencies to apply mitigations in accordance with vendor instructions, ensuring compliance with BOD 26‑04 Prioritizing Security Updates Based on Risk and the Forensics Triage Requirements. For cloud services, follow the applicable BOD 26‑04 guidance or discontinue use if mitigations cannot be applied. Stakeholders must evaluate each asset’s internet exposure and adhere to BOD 26‑04 patching guidelines. BOD 26‑04 mandates that federal agencies remediate KEV listings within the timeframe set by CISA.

While the directive binds FCEB organisations, all other entities should review their exposure to FortiSandbox and apply available patches promptly.

For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-39808 and the CISA KEV catalogue.

View CISA KEV Entry

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline