Skip to content
Tech News
← Back to articles

CISA urges immediate action on actively exploited Fortinet flaws

read original more articles
Why This Matters

The urgent alert from CISA highlights the critical need for immediate patching of actively exploited vulnerabilities in Fortinet's FortiSandbox platform, underscoring the ongoing threat landscape and the importance of timely security updates for organizations. This situation emphasizes the significance of proactive vulnerability management to prevent potential breaches and protect sensitive infrastructure. As attackers exploit these flaws in the wild, both the tech industry and consumers must prioritize rapid response to safeguard their systems.

Key Takeaways

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday ordered government agencies to prioritize patching two actively exploited vulnerabilities in the Fortinet FortiSandbox threat detection platform.

These two critical-severity security flaws (tracked as CVE-2026-39808 and CVE-2026-25089) were addressed by Fortinet on April 14 and June 9, respectively.

As the company detailed in security advisories issued at the time, successful exploitation allows unauthenticated threat actors to execute unauthorized code remotely through low-complexity command injection attacks that require no user interaction.

To resolve these issues and block incoming attacks, admins must upgrade all affected deployments to the latest released versions.

While Fortinet has yet to tag these two vulnerabilities as used in attacks, and has not yet replied to BleepingComputer's emails regarding in-the-wild exploitation, threat intelligence company Defused revealed on June 16 that attackers had started abusing them in the wild.

"We are observing exploitation of multiple Fortinet FortiSandbox vulnerabilities during the past 24 hours, including: CVE-2026-39813 (no previous recorded exploitation), CVE-2026-39808, CVE-2026-25089 (vibecoded, likely faulty exploit)," Defused warned.

On Thursday, CISA also confirmed that the flaws are actively exploited in the wild, adding them to its catalog of known exploited vulnerabilities. As mandated by Binding Operational Directive (BOD) 26-04, U.S. federal agencies must patch vulnerable FortiSandbox instances by Sunday, July 19.

In February, Fortinet also patched a critical SQL injection vulnerability (CVE-2026-21643) in the FortiClient Enterprise Management Server (EMS) platform, which Defused flagged ​​​​ as actively exploited one month later.

Two months later, the company addressed another security issue exploited in attacks: a path traversal vulnerability (CVE-2025-61624) that can allow authenticated attackers to escalate privileges.

Fortinet vulnerabilities are often exploited in cyber espionage campaigns and in ransomware attacks (often as zero-days). In total, CISA tracks 28 Fortinet vulnerabilities that have been exploited in attacks in recent years, 13 of which have also been abused in ransomware attacks.