~/f4n6 $ grep -r "Critical Fortinet FortiSandbox flaws now exploited in attacks" ./investigations/ --include="*.md"

Critical Fortinet FortiSandbox flaws now exploited in attacks

Jeff Davies 16 Jun 2026 6 min read

1. Executive summary

Threat intelligence firm Defused reports active in-the-wild exploitation of three critical vulnerabilities in Fortinet's FortiSandbox platform (FortiSandbox, FortiSandbox Cloud, FortiSandbox PaaS) within the 24 hours preceding this advisory. The flaws — CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 — allow unauthenticated remote attackers to escalate privileges and execute arbitrary commands via low-complexity command injection in the WEB UI, requiring no user interaction. CVE-2026-25089 carries a CVSS score of 9.1 per the source material. Patches have been available since 14 April 2026; unpatched EMEA financial services deployments are at immediate risk of compromise. Fortinet appliances are a known initial-access vector for ransomware and cyber-espionage operations, and CISA has previously ordered federal agencies to remediate Fortinet flaws within three days — a benchmark EMEA entities should treat as the minimum standard.

2. Regulatory framing

Article Trigger (fact in this item) Practical impact
DORA Art. 28 Fortinet FortiSandbox is an ICT third-party provider; active exploitation of unauthenticated RCE constitutes a third-party ICT risk event Confirm FortiSandbox is in your ICT third-party register; review contractual notification clauses with Fortinet; ensure vendor SLA covers emergency patching
DORA Art. 29 If FortiSandbox is deployed at scale across the entity, exploitation creates a concentration-risk exposure Assess scope of FortiSandbox deployment; document concentration risk; evaluate alternatives or compensating controls
NIS2 Art. 21(2)(d) Fortinet is a supply-chain vendor; unauthenticated RCE in a security product is a supply-chain compromise vector Apply supply-chain security measures: asset inventory, patch SLAs, network segmentation of FortiSandbox from production zones
DORA Art. 17 Active exploitation observed in the wild constitutes an ICT-related incident requiring management process Activate incident response process; classify per Art. 18; preserve evidence; document timeline
DORA Art. 19 If exploitation results in a major ICT-related incident (compromise of FortiSandbox affecting operations), reporting obligations engage Prepare initial notification to competent authority within statutory reporting window; coordinate with national CERT
NIS2 Art. 23 Active exploitation of a critical ICT product triggers incident reporting obligations for in-scope entities Report to national CSIRT/CERT per national transposition; include early warning within 24h if compromise confirmed
UK NIS 2018 FortiSandbox deployments at OES/RDSP entities (e.g. financial sector infrastructure) require duty-of-care patching Verify FortiSandbox instances are patched; report incidents to NCSC via standard channels

3. Technical analysis & attack chain

Attack chain (confirmed steps)

  1. Initial access — unauthenticated network reachability. Attacker reaches the FortiSandbox WEB UI over the management interface (typically HTTPS/TCP 443). No authentication is required; no user interaction is needed.
  2. Exploitation — command injection in WEB UI. Attacker submits crafted input to a vulnerable WEB UI endpoint, triggering OS command injection. CVE-2026-25089 (CVSS 9.1) is the primary vector; CVE-2026-39808 and CVE-2026-39813 are also confirmed exploited.
  3. Privilege escalation. Post-injection, the attacker escalates from the WEB UI service context to root/privileged OS context on the FortiSandbox appliance.
  4. Arbitrary code execution. Attacker executes arbitrary OS commands on the FortiSandbox host with full system privileges.
  5. Impact. Full compromise of the FortiSandbox appliance — including its sandbox analysis environment, file samples submitted for detonation, and any network connectivity the appliance has to production or corporate segments.

Technical specifics

  • Affected products: FortiSandbox (on-prem appliance), FortiSandbox Cloud, FortiSandbox PaaS — specifically the WEB UI component.
  • Vulnerability class: OS command injection in WEB UI; unauthenticated; low attack complexity; no user interaction.
  • CVEs in active exploitation:
  • CVE-2026-25089 — command injection, WEB UI. CVSS 9.1 (per source). Defused notes this exploit appears "vibecoded, likely faulty" — a working public exploit has not yet been disclosed, but in-the-wild exploitation is nonetheless observed.
  • CVE-2026-39808 — under active exploitation per Defused.
  • CVE-2026-39813 — under active exploitation per Defused; no prior recorded exploitation before this campaign.
  • Related (not in this campaign but contextually relevant):
  • CVE-2025-61624 — medium-severity path traversal, exploited in wild, requires high privileges (likely chained with another flaw).
  • CVE-2026-26083 — separate critical FortiSandbox RCE patched by Fortinet.
  • CVE-2026-21643 — FortiClient EMS SQL injection; CISA ordered federal remediation within 3 days on 13 April.
  • Patch status: Fortinet released security updates on 14 April 2026 for CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089. Any deployment not on the post-April-14 fixed release is vulnerable.
  • Historical context: CISA tracks 26 Fortinet vulnerabilities exploited in attacks in recent years; 13 of those were abused by ransomware groups. Fortinet appliances are a recurring initial-access vector for both ransomware and cyber-espionage operations.

Caveats and unconfirmed elements

  • Attribution is unconfirmed. Defused is a threat-intelligence firm reporting exploitation activity; no specific threat-actor name, MITRE group designation, or campaign cluster has been attributed in the source material. Treat attribution as unconfirmed.
  • No IOCs published. The source material does not include attacker IP addresses, payload hashes, C2 domains, or specific malware samples. Any IOCs circulating externally should be treated as unverified until corroborated.
  • Exploit reliability for CVE-2026-25089. Defused flags the public exploit as "vibecoded, likely faulty" — meaning the working exploit may be unreliable, but this does not reduce the urgency to patch.

4. Mitigation & containment

P1 — within 24 hours

  • Patch FortiSandbox immediately. Upgrade to the post-14-April-2026 fixed release for FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. Verify build version against Fortinet's PSIRT advisory before returning to production.
  • Isolate management interface. Restrict FortiSandbox WEB UI access (TCP 443) to a dedicated management VLAN or jump host. Block direct internet exposure. Apply ACLs at perimeter and internal firewalls.
  • Block external access. If FortiSandbox has any internet-reachable management port, take it offline until patched.
  • Hunt for indicators. Review FortiSandbox system logs for anomalous shell command execution, unexpected child processes spawned by the WEB UI service, or outbound connections to unfamiliar destinations in the 24–72 hours preceding this advisory.

P2 — within 72 hours

  • Audit FortiSandbox for compromise. Inspect /var/log/ and FortiSandbox-specific log directories for command-injection artefacts; check process lists for unexpected daemons; verify firmware integrity against vendor-signed images.
  • Rotate credentials. Assume any credential stored on or accessible from the FortiSandbox host is compromised; rotate service accounts, API tokens, and any AD/LDAP binds used by FortiSandbox.
  • Review network segmentation. Confirm FortiSandbox cannot reach production trading systems, payment infrastructure, or core banking platforms without explicit allow-listing. Apply east-west firewall rules.
  • Verify FortiClient EMS. Separately confirm FortiClient EMS instances are patched against CVE-2026-21643 (SQL injection) — CISA's 3-day remediation window is the benchmark.

P3 — within 7 days

  • Document and report. If exploitation is confirmed, classify per DORA Art. 18 and prepare reporting per DORA Art. 19 / NIS2 Art. 23 as applicable.
  • Vendor risk review. Update third-party ICT risk register (DORA Art. 28) to reflect this incident; review concentration risk (Art. 29); engage Fortinet account team on contractual notification and remediation obligations (Art. 30).
  • Detection tuning. Deploy or refine detection rules (see Section 6) for FortiSandbox WEB UI exploitation attempts and post-exploitation activity.

5. Indicators of compromise

No indicators of compromise available in the source material.

The source material does not publish attacker IP addresses, payload hashes, C2 domains, or specific malware artefacts. Any IOCs attributed to this campaign from third-party feeds should be validated against primary sources before actioning.

6. Detection

Insufficient indicators to author detection rules.

The source material does not contain specific malware samples, distinctive strings, command-line flags, scheduled-task names, registry keys, or ransom-note text associated with this campaign. Detection engineering should focus on:

  • Network: Alert on any inbound connection to FortiSandbox management interface (TCP 443) from non-allow-listed sources; alert on outbound connections from FortiSandbox to non-allow-listed destinations.
  • Process: Alert on shell or command-execution activity spawned by the FortiSandbox WEB UI service account outside normal operation.
  • Configuration: Alert on FortiSandbox configuration changes outside change windows.

Once vendor PSIRT advisories or threat-intel feeds publish concrete IOCs, detection rules should be authored against those artefacts.

7. Sources

  • BleepingComputer — Critical Fortinet FortiSandbox flaws now exploited in attacks — https://www.bleepingcomputer.com/news/security/critical-fortinet-fortisandbox-flaws-now-exploited-in-attacks/ — 16 June 2026
  • The Hacker News — Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities — https://thehackernews.com/2026/06/ivanti-fortinet-and-sap-release-patches.html — June 2026
  • BSI Germany (CERT-Bund) — Fortinet FortiSandbox: Schwachstelle ermöglicht Befehlsausführung — https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1836 — 2026
  • SecurityWeek — Critical FortiClient EMS Vulnerability Exploited in Fresh Attacks — https://www.securityweek.com/critical-forticlient-ems-vulnerability-exploited-in-fresh-attacks/ — 2026
  • ANSSI France CERT — Multiples vulnérabilités dans les produits Fortinet — https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0725/ — 10 June 2026
  • The Hacker News — Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer — https://thehackernews.com/2026/05/threat-actors-exploit-critical.html — May 2026

8. Adverse Trace position

Severity: Critical. Three unauthenticated, low-complexity, no-interaction RCE vulnerabilities in a security-critical product (sandbox analysis), with active in-the-wild exploitation confirmed within the last 24 hours and patches available since 14 April. Any EMEA financial services entity running an unpatched FortiSandbox should treat the deployment as compromised-by-default until proven otherwise. Attribution remains unconfirmed — Defused is reporting activity, not naming an actor — but the historical pattern (Fortinet as a ransomware and espionage vector) means defenders should prepare for either scenario. Next steps: Adverse Trace will (1) monitor for vendor PSIRT IOCs and update detection rules accordingly; (2) track whether CISA adds any of CVE-2026-39813/39808/25089 to the KEV catalogue, which would trigger mandatory federal remediation timelines and inform EMEA regulatory expectations; (3) re-assess if a named threat actor or malware family is attributed. Clients should confirm patch status within 24 hours and report any suspected exploitation per DORA Art. 19 / NIS2 Art. 23 as applicable.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies