2 min read

CISA sets Sunday deadline for exploited Fortinet flaws

CISA added two FortiSandbox bugs to its exploited-vulnerabilities list and told U.S. agencies to patch by Sunday, July 19.

Image: BleepingComputer

The U.S. Cybersecurity and Infrastructure Security Agency on Thursday told federal agencies to urgently patch two actively exploited Fortinet FortiSandbox vulnerabilities, escalating pressure on organizations running the threat detection platform.

The flaws, CVE-2026-39808 and CVE-2026-25089, are both rated critical. Fortinet patched them on April 14 and June 9, respectively. According to Fortinet’s advisories, attackers can exploit the bugs to execute unauthorized code remotely through low-complexity command injection with no user interaction required.

CISA has now added both issues to its Known Exploited Vulnerabilities catalog. Under Binding Operational Directive 26-04, U.S. federal agencies must secure vulnerable FortiSandbox systems by Sunday, July 19.

Recommended reading

Coca-Cola stops fairlife US output after ransomware hit

Fortinet has not yet labeled the two flaws as exploited in attacks, and BleepingComputer said the company had not responded to questions about in-the-wild abuse. But threat intelligence firm Defused said on June 16 that attackers had already begun using them.

“We are observing exploitation of multiple Fortinet FortiSandbox vulnerabilities during the past 24 hours, including: CVE-2026-39813 (no previous recorded exploitation), CVE-2026-39808, CVE-2026-25089 (vibecoded, likely faulty exploit).”

Defused

The immediate fix is straightforward: admins need to upgrade all affected FortiSandbox deployments to the latest available versions.

This is the latest in a string of Fortinet security problems tied to real-world attacks. In February, the company fixed a critical SQL injection flaw, CVE-2026-21643, in FortiClient Enterprise Management Server (EMS); Defused flagged it as actively exploited a month later. Two months after that, Fortinet patched CVE-2025-61624, a path traversal vulnerability that can let authenticated attackers escalate privileges.

Fortinet bugs continue to be a frequent target in cyber espionage and ransomware campaigns, often as zero-days. CISA currently tracks 28 exploited Fortinet vulnerabilities, 13 of which have also been used in ransomware attacks.

Article image
Article image
Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via BleepingComputer

// Keep reading