Bad actors are exploiting multiple security vulnerabilities in Fortinet FortiSandbox, according to threat intelligence firm Defused Cyber.
In a post shared on X, the company said it has observed exploitation of CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 over the past 24 hours.
CVE-2026-39813 (CVSS score: 9.1) refers to a path traversal vulnerability in FortiSandbox JRPC API that could allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests.
The second flaw, CVE-2026-39808 (CVSS score: 9.1), is a case of operating system command injection that could allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests. Both vulnerabilities were patched by Fortinet in April 2026.
CVE-2026-25089 (CVSS score: 9.1), on the other hand, was fixed last week, with Fortinet describing it as an operating system command injection impacting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI that could allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests.
Defused Cyber noted that the exploit for CVE-2026-25089 not only shows signs of being developed using an artificial intelligence (AI) model, but is also faulty. A working exploit for the vulnerability has not been publicly disclosed.
Vulnerabilities in Fortinet appliances have become a lightning rod for attackers in recent years. In April 2026, Fortinet released out-of-band patches for a critical security flaw impacting FortiClient EMS (CVE-2026-35616, CVSS score: 9.1) that it said has been exploited in the wild.
FortiBleed Compromised Over 30,000 Fortinet Firewalls
The disclosure comes as SOCRadar disclosed suspected Russian-speaking threat actors have compromised more than 30,000 Fortinet firewalls as part of an ongoing, large-scale campaign that has systematically targeted the network security devices across 194 countries.
The cybersecurity company made the discovery after identifying an operational server associated with the activity.
“The attacker’s database contains login credentials for more than 30,791 devices belonging to companies and government organizations across 194 countries,” SOCRadar said. “These are not random guesses. These are verified, working usernames and passwords, tested and confirmed by the attackers themselves using automated tools running around the clock.”
Among the compromised access points include devices belonging to banks, telecom operators, hospitals, universities, government agencies, energy companies, and multinational corporations. India, the U.S., Mexico, Colombia, Thailand, Taiwan, Indonesia, Malaysia, Singapore, and France account for the top 10 countries, with India taking up 60% of all internet-exposed Fortinet deployments in the government sector.
“The group uses a two-step approach,” the company added. “First, they try a list of previously leaked Fortinet passwords against devices across the internet – many organizations never changed passwords after earlier breaches. Second, once inside a device, they passively monitor network traffic to collect additional credentials as they pass through. Those are then used to compromise even more devices.”
Update
In a follow-up analysis published on June 17, 2026, Hudson Rock said the FortiBleed campaign has “successfully targeted 73,932 unique firewall URLs across 194 countries, resulting in 21,632 unique affected domains.” Details of the activity were first flagged by Volodymyr “Bob” Diachenko in a post shared on LinkedIn last week.
“This is a Russian-speaking multi-operator group conducting large-scale credential harvesting against Fortinet FortiGate SSL VPN appliances worldwide,” Diachenko said. “The operation processed 1.16 billion credential attempts against 320,777 FortiGate targets and 2.1 billion attempts against 163,650 MS-SQL servers.”
The group’s tradecraft extends beyond credential harvesting and reuse. It’s assessed that the attackers intercept SSL-VPN authentication, crack hashes on a 45-GPU cluster managed via Hashtopolis, and pivot into internal Active Directory environments for follow-on exploitation and persistence.
It’s suspected that the attackers are scanning internet-exposed Fortinet instances in an attempt to break into them using known password lists and record successful logins. The compromised devices are then used as listening posts to capture additional credentials that pass through them, creating a “continuous loop of unauthorized access.”
“A particularly alarming detail from this dataset is the high volume of extremely complex passwords that were successfully compromised,” Hudson Rock noted. “However, complexity is completely neutralized when passwords are recovered in plaintext. If the attackers are recycling known plaintext credentials to bypass perimeters, complexity policies offer no protection.”
Cybersecurity researcher Kevin Beaumont, who independently reviewed the dataset, said the credentials are legitimate, adding the FortiGate management interface is exposed to the internet on impacted devices in a majority of cases. “The data appears to have come from exports of config from the devices, as it includes things which are only visible from the device itself,” Beaumont added.
When reached for comment, Fortinet told The Hacker News that the collection of credentials was obtained through previous incidents and brute-force attacks, and does not involve any new security flaw or breach.
“Fortinet is aware of a reported third-party credential-harvesting campaign targeting Fortinet firewalls and VPN gateways,” a Fortinet spokesperson said. “We are committed to safeguarding our customers, and we diligently and continuously monitor threat actor darknet activity.”
“Based on our initial analysis, the data involved is likely a resharing of data from previous incidents, as well as brute-forcing of credentials, and not related to any current incident or advisory.”
“Organizations that follow routine best practices, including regularly rotating security credentials and enabling multi-factor authentication, as per guidance in this March blog, face minimal risk from credential compromise detail referenced in the reporting. Fortinet continues to investigate these reports with the security of our customers as our top priority.”
(The story was updated after publication to include additional details of the FortiBleed campaign and a response from Fortinet.)
