3 Recently Patched Fortinet FortiSandbox Vulnerabilities Targeted by Hackers

Post Views: 13

Exploit intelligence firm Defused reports active exploitation of three Fortinet FortiSandbox vulnerabilities, including critical flaws CVE-2026-39808 and CVE-2026-39813, with ongoing attacks targeting organizations globally.

Three recently patched Fortinet FortiSandbox vulnerabilities are being actively exploited in cyberattacks, according to exploit intelligence firm Defused.

Vulnerabilities Exploited

The company’s honeypot systems have detected attempts to leverage CVE-2026-39808, CVE-2026-39813, and CVE-2026-25089. Among these, CVE-2026-39813 and CVE-2026-39808 received critical severity ratings and were resolved in April. The former enables unauthorized access by circumventing authentication mechanisms, while the latter involves an operating system command injection vulnerability that could allow remote code execution. CVE-2026-25089, addressed in June 2026 through Fortinet’s Patch Tuesday updates, permits unauthenticated remote execution of arbitrary commands on affected appliances.

CVE-2026-39808 and CVE-2026-39813

Exploitation of CVE-2026-39808 was independently confirmed by KEVIntel on June 12. Both Defused and KEVIntel reported ongoing attacks targeting CVE-2026-39813 starting June 15. Defused noted that the exploit for CVE-2026-25089 appeared to be generated using artificial intelligence and initially failed when first analyzed.

CVE-2026-25089

The firm also observed exploitation of two additional Fortinet FortiClient EMS vulnerabilities, CVE-2026-21643 and CVE-2026-35616.

FortiBleed Campaign

A separate investigation by SOCRadar revealed over 30,000 compromised Fortinet firewalls exposing corporate networks to unauthorized access. This campaign, labeled FortiBleed, involves a threat actor systematically infiltrating Fortinet firewalls and VPN gateways to build a database of valid credentials. The affected devices span companies and government entities across 190+ countries, with significant concentrations in India and the United States.

Attack Methodology

The attackers scan internet-facing Fortinet devices, testing them against a curated list of default or commonly used passwords. Successful logins are recorded, and compromised systems are repurposed as monitoring nodes to capture additional credentials from network traffic. These newly acquired credentials are then reused to expand the attack surface.

Findings and Implications

Researchers discovered the threat actor’s server exposed online, providing insights into its infrastructure and targets. Among the data recovered were credentials linked to a defense industry VPN endpoint, indicating potential broader