Overview
- Researchers from multiple firms reported active exploitation of three FortiSandbox vulnerabilities on Monday and Tuesday, targeting CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089.
- Fortinet issued patches for the first two defects in April and released a fix for CVE-2026-25089 during mid‑June Patch Tuesday, but telemetry shows attackers probed and tried to use the bugs before many systems were updated.
- The flaws let unauthenticated actors bypass authentication or run operating system commands on FortiSandbox appliances, which can let attackers alter sandbox verdicts and weaken other Fortinet defenses.
- One observed exploit for CVE-2026-25089 appears to have been generated with AI and was initially faulty, which researchers say shows how AI can speed exploit development even when the code is imperfect.
- Administrators are urged to apply Fortinet’s updates immediately because Fortinet has not confirmed confirmed widespread compromises tied to these CVEs and other reports of mass Fortinet firewall breaches highlight broad exposure risk.