Attackers Exploit Three Critical FortiSandbox Vulnerabilities

Attackers are actively exploiting three critical vulnerabilities in Fortinet's FortiSandbox platform to gain unauthorized access to secure networks ^[1].

These flaws are particularly dangerous because they target a tool designed for cyber-threat detection. If a security platform itself is compromised, attackers can bypass the very defenses meant to stop them, potentially gaining a foothold in an organization's entire infrastructure.

The vulnerabilities identified include CVE-2026-39808, which allows for remote code execution ^[4], and CVE-2026-39813, which enables an authentication bypass ^[4]. A third flaw, CVE-2026-25089, allows for privilege escalation ^[4]. Together, these bugs permit unauthenticated actors to execute code, and elevate their permissions within the system ^[1].

Fortinet released patches for these vulnerabilities during its June 2026 update cycle ^[4]. Despite the availability of these fixes, security reports published this month indicate that unknown attackers have already begun targeting unpatched systems ^[1].

While some reports focus on the three flaws within FortiSandbox ^[1], other security advisories note that Fortinet also addressed critical remote code execution flaws in its FortiAuthenticator product during the same period ^[4]. This suggests a broader window of vulnerability across multiple Fortinet security products.

Security experts recommend that administrators immediately verify their software versions and apply the latest updates. The nature of these exploits — specifically the ability to bypass authentication — means that attackers do not need valid credentials to compromise a system ^[1].