Attackers are actively exploiting three vulnerabilities in Fortinet's FortiSandbox product to gain privileged access to enterprise security environments [1].
These flaws are critical because they allow remote attackers to bypass security protocols and execute arbitrary commands. If successful, an attacker can run malicious code and seize control of the systems designed to protect the network.
Threat-intelligence firm Defused Cyber said the exploitation activity was observed over the past 24 hours [1], [2]. The targeted vulnerabilities include CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 [1], [3].
Among these, CVE-2026-39813 is a path-traversal flaw with a CVSS base score of 9.1 [1]. Other vulnerabilities allow for authentication bypass [3] and remote code execution [1]. One of the three flaws was patched last week [1], yet reports indicate it remains a target for attackers.
FortiSandbox is used globally by organizations to analyze suspicious files and detect threats. The current exploits allow attackers to traverse directories and bypass authentication, effectively turning a security tool into an entry point for a breach [2], [3].
Fortinet has not provided a public statement regarding the specific number of affected customers, but the vulnerabilities allow for the execution of arbitrary commands [2]. Security professionals are urged to ensure all patches are applied immediately to mitigate the risk of privileged access by unauthorized actors [3].
“Attackers are actively exploiting three vulnerabilities in Fortinet's FortiSandbox product”
The exploitation of a security-focused product like FortiSandbox creates a high-risk scenario known as a 'defender's dilemma.' When the tools used to detect malware are themselves compromised, attackers can hide their presence and move laterally through a network with higher privileges, making detection significantly more difficult for security teams.
