2 min read

CISA Flags Two Critical FortiSandbox Bugs Under Attack

CISA added two FortiSandbox flaws to its exploited-vulnerabilities list, triggering patch deadlines for US federal agencies.

Image: The Register

Two critical FortiSandbox vulnerabilities are now on CISA’s Known Exploited Vulnerabilities catalog, after the agency confirmed active exploitation and ordered federal civilian agencies to move quickly.

The flaws, CVE-2026-39808 and CVE-2026-25089, both carry CVSS scores of 9.1 and affect FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. Fortinet says both are OS command injection bugs that let unauthenticated attackers run arbitrary commands through specially crafted HTTP requests, with no valid credentials and no user interaction required.

Fortinet shipped a fix for CVE-2026-39808 in April and for CVE-2026-25089 in June. In advisories published at the time, the company said successful exploitation could lead to remote code execution through low-complexity attacks.

CISA’s addition of the flaws to the KEV list is significant because the agency only includes vulnerabilities when it has evidence of active exploitation. It typically does not say who is behind the attacks or how broad they are. Under Binding Operational Directive 26-04, federal civilian agencies must patch by CISA’s deadline or stop using affected products if they cannot secure them.

Recommended reading

TP-Link Kasa camera exposed home GPS for years

Fortinet has not updated its advisories to say the bugs are being exploited in the wild, and the company did not respond to The Register’s questions.

Defused also reported seeing exploitation attempts this week against both FortiSandbox flaws, along with CVE-2026-39813. The security firm said the exploit aimed at CVE-2026-25089 looked “vibecoded” and was likely broken, adding that it has not yet seen a working public exploit.

CISA’s Thursday KEV update also added a separate issue: Microsoft SharePoint Server flaw CVE-2026-58644. That bug is a critical deserialization vulnerability rated 9.8 that allows authenticated attackers with Site Owner privileges to remotely execute arbitrary code on vulnerable SharePoint servers. Microsoft said it can be exploited over the internet with relatively little effort.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via The Register

// Keep reading