Key Takeaways
Critical CISA Alerts: Patch Now or Face Active Exploits

- CISA added two critical FortiSandbox command injection flaws (CVE-2026-39808 and CVE-2026-25089) to its Known Exploited Vulnerabilities catalog
- Both vulnerabilities carry 9.1 CVSS scores and allow unauthenticated remote code execution via HTTP requests
- Federal agencies must patch or disconnect affected systems under Binding Operational Directive 26-04
CISA confirmed Thursday that two critical FortiSandbox vulnerabilities are under active exploitation, adding them to its Known Exploited Vulnerabilities catalog and triggering mandatory patch deadlines for federal agencies. The flaws, CVE-2026-39808 and CVE-2026-25089, both carry 9.1 CVSS scores and let unauthenticated attackers execute arbitrary commands on FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS systems.
Fortinet released patches for CVE-2026-39808 in April and CVE-2026-25089 in June. The company has not updated its advisories to acknowledge in-the-wild exploitation and did not respond to questions from The Register.
What makes these FortiSandbox flaws so dangerous?
Both vulnerabilities are OS command injection flaws. Attackers can exploit them through specially crafted HTTP requests. No valid credentials required. No user interaction needed. That combination, unauthenticated remote code execution with low attack complexity, is about as bad as it gets for a security appliance.
The irony is hard to ignore: FortiSandbox exists to detect advanced threats by analyzing suspicious files in an isolated environment. When the sandbox itself becomes the entry point, attackers can compromise the very tool meant to stop them.
Security firm Defused reported observing exploitation attempts against both flaws this week, along with a third FortiSandbox vulnerability, CVE-2026-39813.
Not every exploit attempt is succeeding. Defused described the attack code targeting CVE-2026-25089 as "vibecoded" and likely broken. The firm has not yet seen a working public exploit for that vulnerability. That could change quickly once proof-of-concept code circulates.
What does the CISA directive require?
Binding Operational Directive 26-04 compels federal civilian agencies to patch vulnerabilities in CISA's KEV catalog by specified deadlines. If patching is not possible, agencies must pull affected products offline. CISA does not publicly attribute attacks or disclose how widespread exploitation is, but inclusion in the catalog means the agency has confirmed evidence of active abuse.
Private organizations are not legally bound by the directive, but CISA's KEV catalog has become a de facto priority list for enterprise security teams. When CISA says a vulnerability is being exploited, waiting to patch is a gamble with known odds.
SharePoint Server also lands on the exploited list
Thursday's KEV update included a third addition: CVE-2026-58644, a critical deserialization vulnerability in Microsoft SharePoint Server. Rated 9.8 CVSS, the flaw lets authenticated attackers with Site Owner privileges execute arbitrary code remotely. Microsoft warned exploitation is possible over the internet with relatively little effort.
SharePoint deployments often hold sensitive documents and integrate deeply with other Microsoft 365 services. A compromised SharePoint server can become a pivot point for lateral movement across an organization's infrastructure.
How should IT teams prioritize these patches?
The FortiSandbox flaws deserve immediate attention if you run affected versions. Unauthenticated RCE on a perimeter security device is a worst-case scenario. Check Fortinet's advisories for the specific versions affected and the patched releases.
For SharePoint, the Site Owner privilege requirement provides some mitigation. The attacker needs an account with elevated permissions, not just any authenticated user. But that bar is lower than it sounds in organizations with loose SharePoint governance.
- FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS users: apply April and June patches immediately
- SharePoint Server admins: deploy Microsoft's latest security updates and audit Site Owner access
- All organizations: review CISA's KEV catalog as a priority patching guide
Logicity's Take
Fortinet's silence on active exploitation is frustrating but typical. The company patched these flaws months ago without flagging them as exploited, leaving customers to assess urgency themselves. CISA filling that gap is helpful, but the lag between patch release and confirmed exploitation gives attackers a window. Organizations running FortiSandbox should also audit their exposure to similar products. Palo Alto Networks, Cisco, and Check Point offer comparable sandboxing solutions, and each has faced its own critical vulnerabilities in recent years. The pattern is clear: perimeter security appliances are high-value targets, and treating their patches as optional is no longer defensible.
Frequently Asked Questions
What is CVE-2026-39808?
CVE-2026-39808 is a critical OS command injection vulnerability in FortiSandbox with a 9.1 CVSS score. It allows unauthenticated attackers to execute arbitrary commands via specially crafted HTTP requests. Fortinet released a patch in April 2026.
Are FortiSandbox Cloud and FortiSandbox PaaS affected?
Yes. Both CVE-2026-39808 and CVE-2026-25089 affect FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS deployments.
What is CISA's Known Exploited Vulnerabilities catalog?
The KEV catalog is a list maintained by CISA of vulnerabilities with confirmed active exploitation. Federal agencies must patch KEV-listed flaws within specified deadlines. Private organizations use it as a prioritization guide.
Does my organization have to follow CISA's patch deadlines?
Binding Operational Directive 26-04 applies only to federal civilian agencies. Private organizations are not legally bound but should treat KEV-listed vulnerabilities as high priority.
Is there a public exploit available for these FortiSandbox flaws?
Security firm Defused observed exploitation attempts but noted that some attack code appears broken. A working public exploit for CVE-2026-25089 has not been confirmed yet.
Need Help Implementing This?
If your security team needs assistance assessing FortiSandbox exposure or prioritizing patches, contact Logicity for a consultation with our enterprise IT advisory partners.
Source: www.theregister.com
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.






