Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1929+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. CISA Orders Immediate Patching of Actively Exploited Fortinet FortiSandbox Flaws
CISA Orders Immediate Patching of Actively Exploited Fortinet FortiSandbox Flaws
NEWS

CISA Orders Immediate Patching of Actively Exploited Fortinet FortiSandbox Flaws

CISA added two critical Fortinet FortiSandbox OS command injection vulnerabilities to its KEV catalog and gave federal agencies just three days to patch, as active exploitation continues against the security appliance platform.

Dylan H.

News Desk

July 17, 2026
4 min read

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) added two critical Fortinet FortiSandbox vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on July 16, 2026, directing Federal Civilian Executive Branch (FCEB) agencies to patch within three days — by July 19, 2026 — under the accelerated timeline established by Binding Operational Directive 26-04.

Both flaws are unauthenticated OS command injection vulnerabilities carrying CVSS scores of 9.1 to 9.8, and exploitation has been actively observed in the wild since June 2026.

The Vulnerabilities

CVE-2026-25089 — Web UI OS Command Injection (CVSS 9.8)

This flaw resides in FortiSandbox's Web UI, specifically in the "start VNC" feature. An unauthenticated remote attacker can inject shell metacharacters via crafted JSON payloads sent via HTTP POST to the /jsonrpc/ endpoint — requiring no credentials, no user interaction, and minimal attack complexity.

Fortinet patched CVE-2026-25089 on June 9, 2026. CISA added it to the KEV catalog July 16, 2026, following confirmed exploitation.

CVE-2026-39808 — API Endpoint OS Command Injection (CVSS 9.8)

This vulnerability affects a FortiSandbox API endpoint, allowing unauthenticated attackers to execute arbitrary commands as root via crafted HTTP requests. A public proof-of-concept exploit weaponizing the jid GET parameter via pipe-chained Unix commands has been available since April 2026. Exploitation was first captured by honeypot sensors on June 12, 2026.

CVE-2026-39813 — Authentication Bypass via Path Traversal (CVSS 9.1)

A third related flaw, also added to the KEV catalog simultaneously, allows attackers to bypass authentication entirely by injecting traversal sequences into the JRPC API. This vulnerability enables chaining: attackers can bypass authentication via CVE-2026-39813 and then trigger command injection via CVE-2026-25089 or CVE-2026-39808, achieving full unauthenticated root-level code execution.

Why FortiSandbox Is a High-Value Target

FortiSandbox is a malware detonation and threat analysis platform — the appliance organizations use to safely examine suspicious files and network traffic. Compromising it gives attackers:

  • Visibility into threat intelligence workflows and what threats an organization is actively investigating
  • Access to network credentials and integration pathways between security tools
  • Persistent blind spots in security operations — potentially allowing other malware to pass through undetected
  • Long-term persistence inside the security stack itself, far removed from typical endpoint detection coverage

The stakes are uniquely high precisely because these are security infrastructure devices.

Affected Versions

ProductAffected Versions
FortiSandbox5.0.0 – 5.0.5, 4.4.0 – 4.4.8, all 4.2.x versions
FortiSandbox Cloud5.0.4 – 5.0.5
FortiSandbox PaaS23.4 – 22.2

Remediation

Patch immediately:

  • Upgrade FortiSandbox on-premises to 4.4.9 or 5.0.6+
  • Upgrade FortiSandbox Cloud and PaaS to 5.0.6+
  • FortiSandbox 4.2.x has no direct fix — contact Fortinet for migration guidance

If immediate patching is not feasible:

  1. Isolate the management interface from untrusted networks immediately
  2. Restrict web UI and API access to designated administrator hosts only
  3. Audit logs for indicators of compromise, particularly unexpected commands or lateral movement from the appliance
  4. Monitor outbound connections from FortiSandbox for anomalous activity

Broader Threat Context

These advisories come amid a large-scale campaign attributed to suspected Russian-speaking threat actors that has targeted over 30,000 Fortinet firewalls across 194 countries. The campaign reportedly involved more than 1.16 billion credential attempts against FortiGate targets.

Organizations running Fortinet security appliances should treat this advisory as a priority-one patching event regardless of federal mandate status.

References

  • CISA KEV Catalog — July 16, 2026 Addition
  • BleepingComputer — CISA warns feds to patch exploited Fortinet FortiSandbox flaws by Sunday
  • Fortinet PSIRT Advisory — CVE-2026-25089
  • Help Net Security — Attackers exploiting FortiSandbox vulnerabilities
#CISA#Fortinet#FortiSandbox#CVE-2026-25089#CVE-2026-39808#KEV#Patch Now#Security Updates

Related Articles

Fortinet Warns of Critical RCE Flaws in FortiSandbox and FortiAuthenticator

Fortinet has released emergency security patches for two critical vulnerabilities in FortiSandbox and FortiAuthenticator that could enable attackers to...

7 min read

CISA Orders Feds to Prioritize Patching Langflow Auth Bypass Flaw

CISA added CVE-2026-55255, a CVSS 9.9 IDOR authorization bypass in Langflow, to its Known Exploited Vulnerabilities catalog on July 7, ordering U.S....

6 min read

CISA Sets Urgent Deadline to Fix Cisco Flaw Actively Exploited in Attacks

CISA has added a Cisco Unified Communications Manager Server vulnerability to its Known Exploited Vulnerabilities catalog and ordered federal agencies to...

4 min read
Back to all News