FORTINET customers are under attack as several critical flaws in FortiSandbox are being exploited in the wild, according to recent threat intelligence. A campaign dubbed FortiBleed has already compromised more than thirty thousand Fortinet firewalls, with the majority of impacted systems located in India and the United States. The intrusions give attackers verified credentials and persistent visibility into network traffic.
Three of the flaws, tracked as CVE-2026-39808, CVE-2026-39813 and CVE-2026-25089, have been patched but remain actively targeted according to SecurityWeek. CVE-2026-39808 allows an unauthenticated bypass of login mechanisms, while CVE-2026-39813 enables OS command injection that can lead to arbitrary code execution. CVE-2026-25089 also permits remote command execution without authentication, and a separate high‑impact issue, CVE-2026-10520, affects Ivanti Sentry with a CVSS score of ten.
Fortinet advisories show that FortiSandbox versions 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8 are vulnerable to CVE-2026-25089, with upgrades to 5.0.6 or 4.4.9 required as detailed in the vendor’s advisory. The other two issues affect recent releases and were patched just days before attackers began probing them, as observed by Defused’s honeypots which recorded exploit attempts using specially crafted HTTP requests per The Hacker News. Some of the activity has been described as assisted by automated tools, though the exact role of AI remains unclear.
Although no specific threat actor has been named, the scale of the FortiBleed operation suggests a well‑resourced group capable of maintaining long‑term access to compromised devices per SOCRadar’s findings. The exploit chain appears to focus on harvesting credentials and monitoring internal traffic, which could facilitate further lateral movement. Security researchers warn that the speed with which these flaws are being weaponised highlights gaps in patch deployment across many organisations as noted by SecurityAffairs.
Administrators should immediately apply the latest FortiSandbox upgrades and verify that all appliances are running patched firmware. In addition to updating, it is advisable to restrict administrative interfaces to trusted networks, enable multi‑factor authentication for any remote access, and review system logs for unexpected POST requests or command‑execution attempts. Regular configuration audits and network segmentation can limit the impact of a successful breach according to FortiGuard’s patch notice.
Finally, organisations should prioritise vulnerability management programmes that track exploit activity and apply patches within a defined window, ideally within seventy‑two hours of release. Staying subscribed to Fortinet’s security advisories and participating in industry information‑sharing groups can provide early warning of similar threats. Continuous monitoring and rapid response remain the most effective defences against actively exploited flaws.