
FORTINET disclosed that its FortiSandbox appliances are under active attack after threat actors exploited two critical OS command injection flaws, prompting CISA to add the vulnerabilities to its Known Exploited Vulnerabilities catalogue. The flaw tracked as CVE‑2026‑39808 carries a CVSS score of 9.1 and allows unauthenticated remote code execution via specially crafted HTTP requests. A second flaw CVE‑2026‑25089 shares the same score and impacts FortiSandbox Cloud and PaaS deployments. Administrators are urged to consult the Fortinet advisory FG‑IR‑26‑100 for the first issue and FG‑IR‑26‑141 for the second.
The CVE‑2026‑39808 vulnerability resides in the input validation of the FortiSandbox web interface where insufficient sanitisation permits OS command injection. An attacker who can reach the device over HTTP can craft a request that executes arbitrary commands with the privileges of the sandbox service. Fortinet rates the issue as Critical and has released a patch detailed in FG‑IR‑26‑100. Applying the update removes the injection vector and restores normal operation.
A parallel flaw CVE‑2026‑25089 affects FortiSandbox Cloud and FortiSandbox PaaS, sharing the same OS command injection root cause and a CVSS rating of 9.1. Exploitation again requires only network access to the web interface and no authentication. Fortinet has issued advisory FG‑IR‑26‑141 with a corresponding fix, and CISA has added the flaw to its KEV catalogue here.
Beyond the FortiSandbox flaws a separate operation dubbed FortiBleed has compromised more than thirty thousand Fortinet firewalls and VPN gateways across 194 countries. Identified by SOCRadar the campaign relies on credential reuse rather than new vulnerabilities harvesting passwords from previously leaked lists. The activity spans banks hospitals telecoms and government networks highlighting the danger of weak password hygiene. Details are available in the SOCRadar blog FortiBleed analysis and a summary on SecurityOnline here.
Defenders should prioritize installing the patches from FG‑IR‑26‑100 and FG‑IR‑26‑141 on all FortiSandbox instances immediately. Where patching cannot be done right away administrators should restrict HTTP access to the management interface to trusted IP ranges or place the devices behind a VPN. Enforcing multi factor authentication on privileged accounts and rotating any credentials that may have been exposed will reduce the risk of follow on attacks. Monitoring web logs for unexpected POST or GET parameters that contain shell metacharacters can help detect attempted exploitation.
Organisations are also encouraged to subscribe to CISA alerts and regularly review the Known Exploited Vulnerabilities catalogue to stay ahead of emerging threats. Maintaining an accurate asset inventory ensures that no FortiSandbox device is overlooked during update cycles. Regular credential audits and the removal of default or weak passwords complement technical mitigations and improve overall resilience.