FortiSandbox CVE-2026-25089: Patch Exploited RCE Bugs

by Emma Davis
1 minute ago

Attackers are probing three critical Fortinet FortiSandbox vulnerabilities. Admins should patch affected appliances and review access logs for exploitation attempts.

Attackers are now trying to exploit three critical Fortinet FortiSandbox vulnerabilities, including CVE-2026-25089, a June 2026 command-injection flaw in the product’s web interface. The alert matters because FortiSandbox is not an ordinary desktop app: many organizations use it as a malware-analysis and threat-verdict system that other Fortinet controls can depend on for blocking decisions and automated response.

BleepingComputer reported on June 16 that threat intelligence firm Defused observed exploitation attempts against CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 during the previous 24 hours.[1] Help Net Security also noted the same activity, while adding an important caveat: Fortinet’s public advisories still mark the three bugs as not known exploited, and the vendor had not confirmed in-the-wild exploitation at the time of that report.[2] That gap should not make operators wait. The affected versions and fixes are already public, and the reported activity is aimed at unauthenticated attack surfaces.

Editorial cartoon about patching FortiSandbox CVE-2026-25089 and related exploited RCE bugs
When the sandbox gets rowdy, patching beats sweeping up shell prompts.

The newest of the three, CVE-2026-25089, is described by Fortinet as an OS command-injection issue in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS web UI handling. Fortinet says specially crafted HTTP requests may let an unauthenticated attacker execute unauthorized commands, and it lists fixed releases for affected 5.0 deployments.[3] FortiSandbox 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8 are in scope for the appliance, while FortiSandbox Cloud 5.0.4 through 5.0.5 and FortiSandbox PaaS 5.0.4 through 5.0.5 also need upgrades to 5.0.6 or later.

The older April pair is also serious. CVE-2026-39813 is a path-traversal issue in the FortiSandbox JRPC API that can allow unauthenticated authentication bypass and privilege escalation on FortiSandbox 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8.[4] CVE-2026-39808 is an API command-injection flaw affecting FortiSandbox 4.4.0 through 4.4.8, with Fortinet listing unauthenticated attack type and code or command execution impact.[5]

What FortiSandbox admins should check

First, confirm the product line and branch before applying a fix. Based on Fortinet’s advisories, FortiSandbox 5.2 is not affected by CVE-2026-25089 or CVE-2026-39813, while affected 5.0 systems should move to 5.0.6 or later. FortiSandbox 4.4 systems affected by the April issues should move to 4.4.9 or later. Older 4.2 FortiSandbox appliances are not listed for CVE-2026-39813, but Fortinet lists all 4.2 versions as affected by CVE-2026-25089, so admins should treat legacy deployments as a separate priority.

Second, reduce reachability while patching. A sandbox appliance often sits behind other security controls, but that does not automatically mean it is safe from HTTP-based abuse. Restrict management and web UI access to trusted administration networks, review reverse-proxy or VPN exposure, and check whether integrations can still submit samples without exposing administrative endpoints broadly.

Third, review recent web, API, and authentication logs for suspicious unauthenticated requests, path traversal patterns, unexpected VNC-start activity, unexplained administrator sessions, and child processes spawned from the web or API service context. Fortinet has not published full indicators for these reported attacks, so defenders should focus on anomalous request paths, new local users, changed automation accounts, and unexpected outbound connections from the appliance.

The pattern is familiar: security infrastructure with unauthenticated web or API bugs quickly becomes attractive once patches and CVE details are public. Recent howtofix.guide coverage of FortiClient EMS abuse, Ivanti Sentry exploitation, and Check Point VPN ransomware activity shows the same operational lesson: patch the appliance, then verify that attackers did not get there first.

Bottom line: FortiSandbox operators should not wait for a KEV entry or a longer vendor exploitation note. If an affected FortiSandbox, FortiSandbox Cloud, or FortiSandbox PaaS instance is still on a vulnerable branch, upgrade it, limit web/API reachability, and preserve logs before routine rotation hides the first exploitation traces.

References

  1. Sergiu Gatlan, BleepingComputer, “Critical Fortinet FortiSandbox flaws now exploited in attacks,” June 16, 2026. https://www.bleepingcomputer.com/news/security/critical-fortinet-fortisandbox-flaws-now-exploited-in-attacks/
  2. Help Net Security, “Attackers are exploiting FortiSandbox vulnerabilities,” June 16, 2026. https://www.helpnetsecurity.com/2026/06/16/fortisandbox-vulnerabilities-cve-2026-39813-cve-2026-39808-cve-2026-25089/
  3. Fortinet PSIRT, “FG-IR-26-141: Second-Order OS Command Injection via JSON Input on start vnc feature,” CVE-2026-25089. https://fortiguard.fortinet.com/psirt/FG-IR-26-141
  4. Fortinet PSIRT, “FG-IR-26-112: Unauthenticated Authentication bypass and Privilege escalation in FortiSandbox,” CVE-2026-39813. https://fortiguard.fortinet.com/psirt/FG-IR-26-112
  5. Fortinet PSIRT, “FG-IR-26-100: OS Command Injection through API endpoint,” CVE-2026-39808. https://fortiguard.fortinet.com/psirt/FG-IR-26-100

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment