Security researchers have observed attackers actively exploiting three critical vulnerabilities in Fortinet's FortiSandbox — the appliance many organisations rely on to analyse suspicious files and feed their wider threat detection. As Fortinet specialists, this is one we want our clients to act on quickly.

What happened

Threat-intelligence firm Defused reported live exploitation attempts against three FortiSandbox flaws: CVE-2026-39813 (an authentication bypass in the platform's API), CVE-2026-39808 and CVE-2026-25089 (command-injection flaws that allow code to be run on the appliance). All three can be triggered remotely, without any login, through specially crafted web requests. Two were patched in April 2026 and the third on 9 June 2026 — and attackers began probing within days of disclosure.

Researchers traced the activity to multiple independent operators across several countries rather than a single campaign, and noted that at least one of the exploits appears to have been partly AI-generated (and possibly faulty). Separately, a campaign dubbed "FortiBleed" has reportedly compromised tens of thousands of internet-facing Fortinet firewalls by guessing weak passwords.

Why this matters

A sandbox appliance is a trusted part of your security stack — it inspects suspicious content before it reaches your people. If an attacker takes it over, they don't just gain another foothold; they can potentially influence what your security tools flag as safe, and pivot deeper into the network. That makes these flaws higher-stakes than a typical vulnerability.

What to do this week

  1. Patch immediately. Upgrade affected FortiSandbox systems to the fixed builds (5.0.6 / 4.4.9 or later) per Fortinet's advisory.
  2. Get management interfaces off the internet. Restrict admin and API access to trusted networks or VPN only — never expose them publicly.
  3. Enforce MFA and strong passwords on all Fortinet devices and remote access.
  4. Review logs for unusual requests to the management/API endpoints.
  5. Make patching routine. These attacks succeed in the gap between a patch being released and being applied — aim to patch internet-facing kit within days, not months.

We manage and harden Fortinet estates for businesses across Greater Manchester. If you'd like us to check your exposure and confirm you're on a safe version, get in touch.

Source: Critical Fortinet FortiSandbox flaws now exploited in attacks — BleepingComputer