Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

Critical vulnerabilities in Fortinet FortiSandbox are under exploitation

An OS command-injection flaw was disclosed earlier this month, according to researchers.

Published June 16, 2026
David Jones's headshot
Reporter
A building with large glass windows bears the Fortinet logo at the top, while a sign at ground level reads "Fortinet - 909 Kifer Road"
Fortinet's headquarters in Sunnyvale, Calif. Courtesy of Fortinet

Researchers are warning that critical vulnerabilities in Fortinet’s FortiSandbox are under exploitation.

Defused, a firm that tracks security vulnerabilities, on Tuesday said three separate flaws in Fortinet FortiSandbox were being exploited by attackers, according to a post on X. FortiSandbox is an AI-powered tool that is used to isolate and analyze malware and zero-day threats. 

The first, an operating system command-injection vulnerability tracked as CVE-2026-25089, was patched on June 9. Fortinet said in an advisory that the flaw could allow an unauthenticated attacker to execute commands by using specially crafted HTTP requests. 

A second OS command-injection flaw, tracked as CVE-2026-39808, could allow an attacker to execute code or commands by using specially crafted HTTP requests. That vulnerability was originally disclosed in April. 

The third flaw is a path-traversal vulnerability, tracked as CVE-2026-39813, that allows an attacker to bypass authentication and launch an attack. It was also disclosed in April. 

No info on victims, attackers

Researchers at Defused thus far do not have information on who may be behind the attacks, nor is there any information on whether customers were directly impacted, or what post-exploitation activity was taking place. 

The threat activity marks the latest to face Fortinet in recent months. In April, a critical zero-day flaw in FortiClient Endpoint Management Server was targeted in attacks. The company released an emergency hotfix.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
AppViewX Launches Agent Identity Security to Govern Agents for the AI and Quantum Era
From AppViewX
June 16, 2026
AppViewX logo
DeVry University Earns Top 12 National Ranking in Spring 2026 National Cyber League Competition
From DeVry University
May 28, 2026
DeVry University logo

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Vulnerability
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell