Attackers are actively exploiting a pair of critical Fortinet vulnerabilities in FortiSandbox, a security product customers use to identify and defend against emerging threats across their network, according to researchers.
Fortinet disclosed and patched the vulnerabilities — CVE-2026-39808 and CVE-2026-39813 — in April, but it hasn’t confirmed exploitation. The company did not respond to a request for comment.
VulnCheck said it first observed exploitation of CVE-2026-39808, an OS-command injection vulnerability, on June 9. Researchers at threat intelligence firm Defused confirmed exploitation of the same defect June 11, and observed exploitation of CVE-2026-39813, a path-traversal vulnerability, on June 15.
Simo Kohonen, founder and CEO of Defused, said the firm observed 49 exploitation events from 11 distinct IPs against the pair of defects over a six-day period. Attackers are also attempting to exploit a third FortiSandox vulnerability, CVE-2026-25089, which Fortinet disclosed and patched June 9, he added.
Researchers haven’t determined how many Fortinet customers are directly impacted, yet post-exploitation activity thus far, which includes verification and reconnaissance, usually precedes a heavier wave of attacks, Kohonen said.
Defused traced the malicious activity to 13 sources originating from nine countries, including China, South Korea, Taiwan, India, Singapore, Germany, the Netherlands, Canada and Bulgaria.
“The spread and the share proof-of-concepts point to multiple independent operators on commodity infrastructure, not one campaign,” Kohonen told CyberScoop.
Researchers said they haven’t observed evidence attackers are chaining the vulnerabilities together, but the exploits are functioning with one another by bypassing authentication, escalating privileges and allowing attackers to execute arbitrary commands.
The exploits, which multiple research firms have observed in honeypots, mark the early stages of another potential wave of attacks targeting Fortinet customers.
The Cybersecurity and Infrastructure Security Agency has flagged 26 Fortinet vulnerabilities in its known exploited vulnerabilities catalog since 2021. As of Wednesday, the agency hasn’t added any of the new Fortinet defects to its catalog.
Researchers warn that the vulnerabilities affect a significant device in enterprise security architecture.
“Sandbox appliances are typically trusted systems used to analyze suspicious content and support broader detection workflows, which means a compromise could provide attackers with elevated access within a security sensitive environment,” Chris Doyle, head of security and compliance at JupiterOne, said in an email.
Kohonen added: “FortiSandbox is high-value because it ingests from and connects to other Fortinet devices.”
