Threat intelligence firm Defused Cyber observed active exploitation of three critical vulnerabilities in Fortinet FortiSandbox over a 24-hour window, with detection dated June 15, 2026. Fortinet had not confirmed in-the-wild exploitation at the time of publication. Of the three, CVE-2026-25089 had been patched roughly a week before the hostile activity began, while the other two have had patches available since April.
- According to Defused Cyber, three pre-authentication vulnerabilities in Fortinet FortiSandbox — CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 — are under active exploitation during June 15–16, 2026. Fortinet has not confirmed this account.
- CVE-2026-25089, patched roughly a week before exploitation was observed, shows signs of AI-assisted development and is described as faulty; no working exploit has been publicly disclosed.
- Compromise of FortiSandbox puts at risk the verdicts that feed FortiGate, FortiMail, FortiClient, and other Fortinet products, with a potential amplification effect across the entire security stack.
- Primary sources report CVSS 9.1 for CVE-2026-39813 and CVE-2026-25089; for CVE-2026-39808 there is a conflict between 9.1 (majority of sources) and 9.8 (Security Affairs).
The Mechanism: From Path Traversal to Command Injection
The three vulnerabilities share the same attack surface — FortiSandbox's HTTP management interfaces — but follow distinct technical paths. CVE-2026-39813, per the official NVD record, is a path traversal vulnerability in the JRPC API that allows unauthenticated privilege escalation via specially crafted HTTP requests. CVE-2026-39808 and CVE-2026-25089 are both OS command injection flaws, classified CWE-78, enabling arbitrary command execution without valid credentials.
NVD records show the same CVSS 3.1 vector for all three CVEs: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Primary sources report a base score of 9.1 for CVE-2026-39813 and CVE-2026-25089. For CVE-2026-39808, the majority of sources indicate 9.1; Security Affairs reports 9.8, creating an unresolved conflict in the available data. Base scores are not explicit in the extracted NVD record text.
Affected versions cover FortiSandbox 4.4.0–4.4.8 and 5.0.0–5.0.5 for CVE-2026-39813; FortiSandbox 4.4.0–4.4.8 for CVE-2026-39808; and FortiSandbox 4.4.0–4.4.8, 5.0.0–5.0.5, all 4.2 versions, plus FortiSandbox Cloud 5.0.4–5.0.5 and FortiSandbox PaaS 5.0.4–5.0.5 for CVE-2026-25089.
Fortinet's released patches are version 4.4.9 or later and 5.0.6 or later for CVE-2026-39813; 4.4.9 or later for CVE-2026-39808. For CVE-2026-25089, the vendor made fixes available during the week prior to June 16, 2026.
The Dependency Chain: Amplification Risks
FortiSandbox operates as a threat-analysis node whose verdicts drive blocking decisions in FortiGate, FortiMail, FortiClient, and other products in the Fortinet ecosystem. This internal supply-chain architecture is the primary impact multiplier of the incident.
"When an attacker gets inside that system, they aren't breaching one box, and they can poison the verdicts that every other tool downstream depends on, waving real malware through as clean. The supposed quarantine becomes the delivery route." — Waseem Ahmed, head of engineering at Secure.com, in a statement to SC World
An actor achieving code execution on the sandbox could manipulate analysis verdicts, labeling malicious samples as benign. Downstream systems that automatically trust these verdicts would risk passing threats without further scrutiny. Compromise of a single FortiSandbox exposes the entire dependent security stack to distributed bypass risk, according to expert analysis cited in the sources.
AI-Assisted Exploitation: Signals and Limits
Defused Cyber found that the exploit for CVE-2026-25089 "not only shows signs of being developed using an artificial intelligence (AI) model, but is also faulty." The source did not disclose specific technical indicators of the detection methodology nor clarify whether the structural defects prevent actual payload execution or merely limit reliability. Per the same source, "a working exploit for CVE-2026-25089 has not yet been publicly disclosed."
The dossier does not specify whether exploits for CVE-2026-39813 and CVE-2026-39808 also show signs of AI-assisted generation. The hypothesis that AI is shortening exploit development timelines remains confined, in confirmed data, to CVE-2026-25089 alone.
Defused Cyber's observation documents exploitation attempts using faulty generated code in a window that precedes public tool availability and overlaps directly with the vendor's patch cycle. Speed of generation, rather than technical perfection, is the moving parameter.
Immediate Actions
Operators managing FortiSandbox instances on affected versions must verify application of Fortinet's released patches: version 4.4.9 or later and 5.0.6 or later for the April-cycle vulnerabilities; fixes released the week prior to June 16, 2026 for CVE-2026-25089.
It is necessary to isolate or intensively monitor FortiSandbox HTTP management interfaces exposed to the network, given that all three vulnerabilities are pre-authentication and require only IP connectivity. Management network segmentation is a standard containment measure for this risk profile.
Log correlation between FortiSandbox and downstream systems that consume its verdicts enables detection of anomalies in classification judgments, such as sudden flips from malicious to benign on previously blocked samples.
Context: When the Source Is Single
The entire active exploitation narrative rests on Defused Cyber's observation. Fortinet, queried by multiple outlets, has not confirmed in-the-wild exploitation at the time of publication. The Register reports the vendor did not respond to comment requests. Help Net Security explicitly notes that "the vendor has yet to confirm in-the-wild exploitation of these vulnerabilities."
This configuration — a single structured threat intelligence source, without independent corroboration or vendor confirmation — demands caution in assessing the incident's scope. Operators must calibrate operational response based on their infrastructure risk profile, without waiting for confirmations that may not arrive promptly.
The 24-hour window documented by Defused Cyber, the overlap with the patch cycle for CVE-2026-25089, and the AI-assisted element constitute a signal of method more than proof of large-scale compromise. The relevant parameter is the speed with which threat actors are reacting to vendor fixes, shrinking the time margin available for defensive updates.
Sources: The Hacker News, Help Net Security, Security Affairs, The Register, SC World, NVD CVE-2026-39813, NVD CVE-2026-39808, NVD CVE-2026-25089, Help Net Security (April 2026)
Information verified against cited sources and current as of publication.
Sources
- https://thehackernews.com/2026/06/attackers-exploit-three-fortinet.html
- https://www.helpnetsecurity.com/2026/06/16/fortisandbox-vulnerabilities-cve-2026-39813-cve-2026-39808-cve-2026-25089/
- https://securityaffairs.com/193709/ai/fortinet-warned-as-three-critical-fortisandbox-bugs-come-under-attack.html?amp
- https://www.theregister.com/security/2026/06/16/three-critical-fortinet-sandbox-bugs-splattered-by-unknown-attackers/5256461
- https://www.scworld.com/news/three-critical-fortisandbox-bugs-rated-98-actively-exploited
- https://nvd.nist.gov/vuln/detail/cve-2026-39813
- https://nvd.nist.gov/vuln/detail/CVE-2026-39808
- https://nvd.nist.gov/vuln/detail/CVE-2026-25089
- https://www.helpnetsecurity.com/2026/04/16/fortinet-fortisandbox-vulnerabilities-cve-2026-39813-cve-2026-39808/