Attackers hit pair of critical Fortinet vulnerabilities the vendor disclosed in April

Attackers hit pair of critical Fortinet vulnerabilities the vendor disclosed in April

https://cyberscoop.com/fortinet-fortisandbox-vulnerabilities-exploits/

Publish Date: 2026-06-17 11:42:46

Source Domain: cyberscoop.com

Summary:
Active exploitation attempts of two critical Fortinet vulnerabilities in FortiSandbox have been observed by security researchers. Despite Fortinet disclosing and patching the vulnerabilities, namely CVE-2026-39808, and CVE-2026-39813, in April, the company has not confirmed active exploitation. VulnCheck and Defused’s researchers verified the breaches starting on June 9, with evidence pointing to multiple independent actors from various countries including China and Germany. The attack activity involves OS-command injection and path-traversal exploits, which allow attackers to escalate privileges and execute arbitrary commands. Though the number of affected customers remains undetermined, such reconnaissance typically preludes a major attack wave. The Cybersecurity and Infrastructure Security Agency is tracking the situation but yet to include them in its catalog of known exploited vulnerabilities.

Key Points:

• Researchers confirm active exploitation of Fortinet’s vulnerabilities, including CVE-2026-39808 and CVE-2026-39813.
• The attackers attempt to exploit a third vulnerability, CVE-2026-25089.
• Evidence suggests multiple operators using the exploits rather than a single coordinated campaign.
• Exploits enable privilege escalation and command execution, potentially compromising security-sensitive environments.
• Compromised FortiSandbox appliances provide attackers with elevated access to broader Fortinet devices and trusted systems.