Critical Fortinet FortiSandbox flaws now exploited in attacks

Attackers are now exploiting several critical vulnerabilities in Fortinet's FortiSandbox cyber threat detection platform, according to threat intelligence company Defused.

Fortinet released security updates for these three critical-severity security flaws (tracked as CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089) on April 14.

These flaws allow unauthenticated threat actors to escalate privileges and execute unauthorized code remotely through low-complexity command injection attacks that require no user interaction. To resolve these issues and block incoming attacks, admins must upgrade affected deployments to the latest released versions.

'We are observing exploitation of multiple Fortinet FortiSandbox vulnerabilities during the past 24 hours, including: CVE-2026-39813 (no previous recorded exploitation), CVE-2026-39808, CVE-2026-25089 (vibecoded, likely faulty exploit)," Defused warned on Monday. "Per our research a working exploit for CVE-2026-25089 has not yet been publicly disclosed."

In April, Fortinet also flagged a medium-severity path traversal vulnerability (CVE-2025-61624) as exploited in the wild, a flaw that can let authenticated attackers escalate privileges. However, successful exploitation requires high privileges on the targeted systems, implying that it was very likely chained with another security issue.