Fortinet FortiSandbox faces active exploitation of three separate vulnerabilities, with threat actors actively leveraging the flaws in real-world attacks. Defused Cyber detected exploitation attempts across all three CVEs within a 24-hour window.
CVE-2026-39813 carries a critical CVSS score of 9.1 and involves a path traversal flaw in the FortiSandbox JRPC API. This vulnerability allows attackers to bypass access controls and read or modify files outside intended directories. The flaw directly threatens the integrity of sandbox environments that organizations rely on to safely analyze malware and suspicious files.
CVE-2026-39808 and CVE-2026-25089 remain under active exploitation as well. While specific technical details on these two vulnerabilities remain limited, their concurrent exploitation alongside the critical path traversal flaw suggests coordinated attack campaigns targeting FortiSandbox deployments across multiple organizations.
Fortinet patched at least one of these vulnerabilities recently, yet attackers continue exploiting unpatched instances. Organizations running FortiSandbox likely face immediate risk if they have not applied security updates. The combination of high CVSS scores and confirmed active exploitation creates time-sensitive pressure for defenders.
FortiSandbox serves as a critical security tool for many enterprises, processing suspicious files and potential malware in isolated environments before they reach production systems. Compromise of this component could allow attackers to study sandbox defenses, bypass detection mechanisms, or gain elevated access to networks. An attacker who exploits path traversal vulnerabilities gains file system access that could lead to lateral movement within infrastructure.
Organizations should immediately verify their FortiSandbox versions against Fortinet's security advisories and deploy patches without delay. Network teams should also review logs for evidence of exploitation attempts targeting the JRPC API. The 24