Two vulnerabilities affecting Fortinet’s malware analysis and detection FortiSandbox have been exploited in the wild, the US Cybersecurity and Infrastructure Security Agency (CISA) has warned.
The vulnerabilities, tracked as CVE-2026-39808 and CVE-2026-25089 are both critical, with a severity rating (CVSS) of 9.1 each.
CISA added both to its Known Exploited Vulnerabilities (KEV) catalog on July 16, suggesting evidence of observed exploitation in the wild.
The agency urged rolling out patches across federal government by July 19.
ForitSandbox Exploits Can Lead to Execute Rogue Commands
CVE-2026-39808 was detected by Samuel de Lucas Maroto, a security researcher at KPMG Spain, and disclosed by Fortinet on April 14.
It is an operating system (OS) command injection vulnerability affecting Fortinet’s FortiSandbox versions 4.4.0 to 4.4.8.
When exploited, it allows an attacker to execute unauthorized code or commands via .
Fortinet has released a patch in FortiSandbox version 4.4.9.
The second bug, CVE-2026-25089, was initially identified by Adham El Karn, a security researcher within the Fortinet Product Security team, and was disclosed by the cybersecurity firm on June 9.
It is an OS command injection vulnerability affecting Fortinet’s FortiSandbox versions 5.0.0 to 5.0.5, 4.4.0 to 4.4.8 and all 4.2 versions, FortiSandbox Cloud versions 5.0.4 to 5.0.5 and FortiSandbox PaaS versions 5.0.4 to 5.0.5.
When exploited, it allows an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests.
Fortinet has released a patch in FortiSandbox versions 4.4.9 and 5.0.6.
CISA required US federal agencies to apply mitigations and patches released by Fortinet.
For cloud-based services, agencies should discontinue using the product if mitigations are unavailable.
CISA has not confirmed whether these vulnerabilities have been used in ransomware campaigns.
Image credits: Piotr Swat / bluestork / Shutterstock.com
