3 Recently Patched Fortinet FortiSandbox Vulnerabilities in Hacker Crosshairs
Three recently patched vulnerabilities in Fortinet FortiSandbox are actively targeted in the wild. Two of these vulnerabilities, CVE-2026-39808 and CVE-2026-39813, are rated critical and allow authentication bypass and OS command injection, respectively. A third vulnerability, CVE-2026-25089, patched in June 2026, permits remote unauthenticated command execution. Additionally, over 30,000 Fortinet firewalls have been compromised in a campaign dubbed FortiBleed, exposing networks globally and enabling attackers to harvest credentials for further intrusions. The threat actor uses automated scanning and credential stuffing to propagate access, with indications of targeting defense industry VPNs. Exploits have been observed since June 2026, including AI-generated attempts. Fortinet has issued patches for these vulnerabilities.
AI Analysis
Technical Summary
Defused and KEVIntel have observed active exploitation attempts targeting three Fortinet FortiSandbox vulnerabilities: CVE-2026-39808 (OS command injection), CVE-2026-39813 (authentication bypass), both rated critical and patched in April 2026, and CVE-2026-25089 (remote command execution), patched in June 2026. Exploitation of CVE-2026-39808 was independently confirmed on June 12, 2026, and CVE-2026-39813 on June 15, 2026. Defused noted that the exploit for CVE-2026-25089 appears AI-generated and initially ineffective. Separately, SOCRadar reported a large-scale campaign (FortiBleed) compromising over 30,000 Fortinet firewalls and VPN gateways worldwide, using credential stuffing and scanning to gain access and harvest credentials, including those linked to defense industry VPN endpoints. The threat actor is suspected to be Russian-speaking. Fortinet has released patches addressing these vulnerabilities.
Potential Impact
Successful exploitation of CVE-2026-39808 and CVE-2026-25089 allows remote unauthenticated attackers to execute arbitrary commands on vulnerable FortiSandbox appliances, potentially leading to full system compromise. CVE-2026-39813 enables authentication bypass, allowing attackers unauthorized access. The FortiBleed campaign compromises Fortinet firewalls and VPN gateways, exposing corporate and government networks globally, enabling attackers to monitor traffic, harvest credentials, and expand their access. This poses significant risks to confidentiality, integrity, and availability of affected networks, including sensitive defense industry infrastructure.
Mitigation Recommendations
Fortinet has issued official patches for CVE-2026-39808 and CVE-2026-39813 in April 2026 and for CVE-2026-25089 in June 2026. Organizations should apply these patches promptly to mitigate the vulnerabilities. The FortiBleed campaign exploits known credentials; therefore, affected organizations should audit Fortinet firewall and VPN gateway credentials, enforce strong password policies, and monitor for unauthorized access. Since Fortinet appliances are on-premises, remediation requires applying vendor patches and credential hygiene. Patch status is confirmed by vendor advisories linked in the source article.
3 Recently Patched Fortinet FortiSandbox Vulnerabilities in Hacker Crosshairs
Description
Three recently patched vulnerabilities in Fortinet FortiSandbox are actively targeted in the wild. Two of these vulnerabilities, CVE-2026-39808 and CVE-2026-39813, are rated critical and allow authentication bypass and OS command injection, respectively. A third vulnerability, CVE-2026-25089, patched in June 2026, permits remote unauthenticated command execution. Additionally, over 30,000 Fortinet firewalls have been compromised in a campaign dubbed FortiBleed, exposing networks globally and enabling attackers to harvest credentials for further intrusions. The threat actor uses automated scanning and credential stuffing to propagate access, with indications of targeting defense industry VPNs. Exploits have been observed since June 2026, including AI-generated attempts. Fortinet has issued patches for these vulnerabilities.
Reddit Discussion
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Defused and KEVIntel have observed active exploitation attempts targeting three Fortinet FortiSandbox vulnerabilities: CVE-2026-39808 (OS command injection), CVE-2026-39813 (authentication bypass), both rated critical and patched in April 2026, and CVE-2026-25089 (remote command execution), patched in June 2026. Exploitation of CVE-2026-39808 was independently confirmed on June 12, 2026, and CVE-2026-39813 on June 15, 2026. Defused noted that the exploit for CVE-2026-25089 appears AI-generated and initially ineffective. Separately, SOCRadar reported a large-scale campaign (FortiBleed) compromising over 30,000 Fortinet firewalls and VPN gateways worldwide, using credential stuffing and scanning to gain access and harvest credentials, including those linked to defense industry VPN endpoints. The threat actor is suspected to be Russian-speaking. Fortinet has released patches addressing these vulnerabilities.
Potential Impact
Successful exploitation of CVE-2026-39808 and CVE-2026-25089 allows remote unauthenticated attackers to execute arbitrary commands on vulnerable FortiSandbox appliances, potentially leading to full system compromise. CVE-2026-39813 enables authentication bypass, allowing attackers unauthorized access. The FortiBleed campaign compromises Fortinet firewalls and VPN gateways, exposing corporate and government networks globally, enabling attackers to monitor traffic, harvest credentials, and expand their access. This poses significant risks to confidentiality, integrity, and availability of affected networks, including sensitive defense industry infrastructure.
Mitigation Recommendations
Fortinet has issued official patches for CVE-2026-39808 and CVE-2026-39813 in April 2026 and for CVE-2026-25089 in June 2026. Organizations should apply these patches promptly to mitigate the vulnerabilities. The FortiBleed campaign exploits known credentials; therefore, affected organizations should audit Fortinet firewall and VPN gateway credentials, enforce strong password policies, and monitor for unauthorized access. Since Fortinet appliances are on-premises, remediation requires applying vendor patches and credential hygiene. Patch status is confirmed by vendor advisories linked in the source article.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":30,"reasons":["external_link","newsworthy_keywords:patch","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["patch"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a32497a0b89be6888efc3d4
Added to database: 6/17/2026, 7:15:06 AM
Last enriched: 6/17/2026, 7:15:16 AM
Last updated: 6/17/2026, 4:42:49 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.