• Category: Security
  • Status: confirmed
  • Sources: Help Net Security, Cybersecurity Dive
  • Summary: Three FortiSandbox vulnerabilities are under active exploitation, first reported on 2026-06-16. CVE-2026-39813 (CVSS 9.8) is a path traversal and authentication bypass in the FortiSandbox JRPC API that lets an unauthenticated remote attacker read sensitive system data such as configuration backups, serial numbers, and version details through crafted HTTP requests; CVE-2026-39808 and CVE-2026-25089 are the other two. Affected versions are FortiSandbox 5.0.0 to 5.0.5 and 4.4.0 to 4.4.8. Fortinet patched the flaws in April 2026; fixed releases are 5.0.6 and 4.4.9. Researchers observed exploitation against decoy infrastructure over port 443 via crafted JSON-RPC POST requests. The CVEs are not yet in the CISA KEV catalog.
  • Why it matters: A patched-but-now-exploited path on an internet-exposed security appliance gives unauthenticated attackers system data, so operators running exposed FortiSandbox management interfaces should patch and restrict access immediately.
  • Follow-up: Track CISA KEV addition and any confirmed compromise scope.

Send feedback on this story