Attackers target critical FortiSandbox flaws as CISA issues patch order

https://image.theregister.com/5274310.jpg?imageId=5274310&x=0&y=0&cropw=100&croph=100&panox=0&panoy=0&panow=100&panoh=100&width=1200&height=683

Command injection vulns land on exploited list after researchers spot abuse attempts

Fortinet admins have two more reasons to clear their calendars after CISA confirmed a pair of critical FortiSandbox bugs are being actively exploited.

The two bugs, tracked as CVE-2026-39808 and CVE-2026-25089, both carry CVSS scores of 9.1 and affect FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. According to Fortinet, they are OS command injection flaws that allow unauthenticated attackers to execute arbitrary commands via specially crafted HTTP requests, requiring neither valid credentials nor user interaction.

Fortinet released fixes for CVE-2026-39808 in April and CVE-2026-25089 in June, warning in advisories published at the time that successful exploitation could lead to remote code execution via low-complexity attacks.

Fortinet has not publicly confirmed that either flaw is being exploited in the wild, but CISA has now added both bugs to its Known Exploited Vulnerabilities (KEV) catalog. Inclusion in the catalog means...

Copyright of this story solely belongs to theregister.com. To see the full text click HERE