Attackers are now exploiting several critical vulnerabilities in Fortinet’s FortiSandbox cyber threat detection platform, according to threat intelligence company Defused.
Fortinet released security updates for these three critical-severity security flaws (tracked as CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089) on April 14.
These flaws allow unauthenticated threat actors to escalate privileges and execute unauthorized code remotely through low-complexity command injection attacks that require no user interaction. To resolve these issues and block incoming attacks, admins must upgrade affected deployments to the latest released versions.
‘We are observing exploitation of multiple Fortinet FortiSandbox vulnerabilities during the past 24 hours, including: CVE-2026-39813 (no previous recorded exploitation), CVE-2026-39808, CVE-2026-25089 (vibecoded, likely faulty exploit),” Defused warned on Monday. “Per our research a working exploit for CVE-2026-25089 has not yet been publicly disclosed.”
In April, Fortinet also flagged a medium-severity path traversal vulnerability (CVE-2025-61624) as exploited in the wild, a flaw that can let authenticated attackers escalate privileges. However, successful exploitation requires high privileges on the targeted systems, implying that it was very likely chained with another security issue.
BleepingComputer reached out to Fortinet to confirm reports of active exploitation, but a response was not immediately available.
Fortinet security flaws are often exploited in ransomware attacks (often as zero-day bugs) and in cyber espionage campaigns to breach the targets’ networks.
Most recently, Fortinet released security updates to address another critical vulnerability in FortiSandbox (CVE-2026-26083) that could let attackers achieve remote code execution on unpatched systems.
In February, it also patched a critical SQL injection vulnerability (CVE-2026-21643) in the FortiClient Enterprise Management Server (EMS) platform, which Defused flagged as actively exploited one month later. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies on April 13 to secure their FortiClient EMS instances against attacks targeting the CVE-2026-21643 flaw within three days.
In total, CISA tracks 26 Fortinet vulnerabilities that have been exploited in attacks in recent years, 13 of which were abused by ransomware gangs.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
