Trio of critical vulnerabilities in Fortinet FortiSandbox under attack
- Kamy Le
- 23 hours ago
- 2 min read
Cyber threat intelligence company Defused has recently issued an important warning regarding the Fortinet FortiSandbox system becoming a target for exploit attacks. Given the critical role of FortiSandbox as a defensive gateway, its status as a target is garnering significant attention from the technology community.
For enterprises, FortiSandbox functions as an Artificial Intelligence (AI)-powered "security sandbox," tasked with isolating and analyzing unknown malware or threats. This is a core platform that enables other Fortinet security products to automatically block risks.
Overview of 3 security vulnerabilities under scrutiny
According to published research, attackers are attempting to simultaneously exploit three different weaknesses in the FortiSandbox system. Specifically, these include:
CVE-2026-25089 (OS Command Injection vulnerability): This flaw directly impacts the web-based user interface of FortiSandbox, including cloud versions (FortiSandbox Cloud and PaaS). Attackers do not need an account to send specially crafted HTTP requests to force the system to execute unauthorized commands. This vulnerability was patched on June 9, thanks to the discovery by expert Adham El Karn from the Fortinet security team.
CVE-2026-39808 (OS Command Injection vulnerability): First announced in April, this vulnerability also allows attackers to execute dangerous code or commands via malicious HTTP requests without requiring authentication.
CVE-2026-39813 (Path Traversal vulnerability): Also discovered in April, this flaw resides in the system's JRPC API. Hackers can exploit it to bypass the system's standard login process entirely.
Currently, Fortinet states that they have successfully released patches for all three of the aforementioned vulnerabilities.
Anonymous hackers and the threat from AI-generated exploit code
Although warnings have been issued, experts at Defused acknowledge that they do not yet have detailed information regarding which customers have been directly affected, who is behind these campaigns, or what actions were taken after successful infiltration. On the manufacturer's side, Fortinet has yet to provide official confirmation regarding successful exploits in real-world environments.
Notably, experts discovered that the exploit code for CVE-2026-25089 shows signs of being created using AI technology (often referred to as "vibecoded" code). Although this code appears to be buggy and not yet fully functional, it is a concerning signal.
Historically, FortiSandbox has not been a primary target for hackers. However, the emergence of AI is lowering technological barriers, helping to accelerate vulnerability research and malware development. This means that cybercriminals will tend to cast a wider net and attack any newly revealed vulnerabilities.
A challenging period for Fortinet
This wave of attacks continues a series of security challenges that Fortinet has faced recently. Just this past April, a critical "Zero-day" vulnerability (a vulnerability without a patch at the time of attack) in the FortiClient Endpoint Management Server system was also extensively exploited by attack groups, forcing the company to release an emergency patch shortly thereafter.
In summary, although the vulnerabilities in FortiSandbox have been addressed technically, the increasing popularity of AI-powered hacking tools is a practical reminder for system administrators: Always update the latest security patches as soon as possible to protect enterprises against looming technological risks.
Reference: CybersecurityDive
Comments