Jul 18, 2026
Policy

CISA orders fixes for exploited FortiSandbox command-injection flaws

CISA added two critical FortiSandbox vulnerabilities to its exploited-bug catalog, triggering mandatory remediation deadlines for federal civilian agencies.

Renata Fuchs

By Renata Fuchs · Policy Reporter

· 3 min read

CISA orders fixes for exploited FortiSandbox command-injection flaws
Photo: The Register

CISA has ordered federal civilian agencies to remediate two critical FortiSandbox vulnerabilities after adding them to its Known Exploited Vulnerabilities catalog, a move that means the agency has evidence of active exploitation. The flaws, CVE-2026-39808 and CVE-2026-25089, both carry CVSS scores of 9.1 and affect FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS.

Fortinet has described both issues as OS command-injection vulnerabilities. According to the company’s advisories, an unauthenticated attacker could use specially crafted HTTP requests to run arbitrary commands, with no valid credentials or user interaction required. Fortinet said successful exploitation could result in remote code execution and characterized the attacks as low complexity.

The timing matters for security teams running Fortinet sandboxing products because the fixes are not new. Fortinet released a patch for CVE-2026-39808 in April and followed with a fix for CVE-2026-25089 in June. CISA’s catalog entry changes the urgency for U.S. federal civilian agencies, which must patch within the deadlines set by the agency or stop using vulnerable products if they cannot be adequately secured under Binding Operational Directive 26-04.

Fortinet has not publicly confirmed exploitation of either vulnerability, and its advisories have not been updated to label the bugs as exploited, according to The Register. The company did not respond to The Register’s questions. CISA, for its part, generally does not say who is behind activity tied to KEV additions or how broadly the vulnerabilities are being used in attacks.

Outside the government process, security firm Defused said it observed exploitation attempts this week against both FortiSandbox bugs, as well as another FortiSandbox vulnerability, CVE-2026-39813. Defused said one exploit aimed at CVE-2026-25089 appeared likely to be broken and described it as “vibecoded.” The firm also said it had not yet seen a working public exploit for that vulnerability.

For enterprise operators, the lack of a confirmed working public exploit does not remove the risk. CISA’s KEV listing is a practical signal that defenders should treat the vulnerabilities as being used in real attacks, even if the agency withholds campaign details. The affected products sit in security infrastructure, which can make compromise more consequential than a routine application bug.

CISA’s Thursday KEV update also included a newly patched Microsoft SharePoint Server vulnerability, CVE-2026-58644. Microsoft rated the deserialization flaw critical with a CVSS score of 9.8. The company said an authenticated attacker with Site Owner privileges could execute arbitrary code remotely on vulnerable SharePoint servers.

Microsoft also warned that CVE-2026-58644 can be exploited remotely over the internet with relatively little effort. Unlike the FortiSandbox bugs, the SharePoint issue requires authentication and Site Owner privileges, but the internet-facing nature of many SharePoint deployments makes it a near-term patching priority for organizations that expose affected servers.

This story draws on original reporting from The Register.

More from Policy

All Policy →