GBHackers

CISA Warns of Two Fortinet FortiSandbox Flaws Exploited to Execute Commands


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities in Fortinet FortiSandbox to its Known Exploited Vulnerabilities (KEV) catalog.

These flaws are actively being exploited in the wild to execute unauthorized commands on affected systems. The vulnerabilities, tracked as CVE-2026-39808 and CVE-2026-25089, involve OS command injection weaknesses (CWE-78) and impact FortiSandbox deployments, including FortiSandbox Cloud and FortiSandbox PaaS environments.

CISA Warns of Two Fortinet FortiSandbox Flaws

According to CISA, CVE-2026-39808 affects FortiSandbox appliances. It allows unauthenticated attackers to execute arbitrary OS-level commands through specially crafted HTTP requests.

This vulnerability arises from insufficient input validation in the request-handling mechanisms, enabling attackers to inject malicious commands that execute within the underlying operating system.

As a result, attackers could achieve full system compromise, unauthorized data access, or lateral movement within enterprise environments. Importantly, this vulnerability does not require authentication, which significantly lowers the barrier to exploitation and raises its risk profile in internet-exposed deployments.

The second flaw, CVE-2026-25089, presents similar risks across a broader range of Fortinet offerings, including FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS.

Like CVE-2026-39808, it allows unauthenticated command execution through crafted HTTP requests. This indicates a systemic issue in the processing of user-supplied input across multiple Fortinet sandboxing platforms.

Given FortiSandbox’s role in analyzing suspicious files and detecting advanced threats, the exploitation of these vulnerabilities could enable attackers to tamper with analysis results, turn off protections, or utilize the sandbox environment as a pivot point for further attacks.

While CISA has not confirmed whether these vulnerabilities are being used in ransomware campaigns, their inclusion in the KEV catalog confirms active exploitation in real-world scenarios.

Security researchers highlight that command injection flaws in security appliances are particularly dangerous because they often grant high-privilege access and are typically deployed at critical points in network infrastructure. Attackers exploiting these flaws could gain deep visibility into malware analysis workflows or manipulate threat intelligence outputs.

CISA has mandated that federal agencies remediate these vulnerabilities by July 19, 2026, in accordance with Binding Operational Directive (BOD) 26-04, which prioritizes timely patching based on risk exposure.

Organizations are urged to apply vendor-provided mitigations immediately, assess the internet exposure of affected assets, and follow CISA’s forensic triage requirements to detect potential compromises. In cases where patches or mitigations are unavailable, CISA recommends discontinuing the use of the affected product to reduce risk.

Security teams should also monitor for indicators of compromise, such as unusual HTTP request patterns, unexpected command execution logs, or anomalies in FortiSandbox analysis outputs.

Given the unauthenticated nature of these exploits, proactive network monitoring and strict access controls are critical for minimizing exposure.

As threat actors continue to target security infrastructure, the rapid exploitation of these Fortinet vulnerabilities underscores the need for continuous patch management and robust defensive visibility across security tooling ecosystems.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.



Source link