Exploit Code Released for FortiSandbox Vulnerabilities

Cybersecurity researchers have detected active exploitation of three critical vulnerabilities in FortiSandbox, the Fortinet platform that serves as a backbone for threat analysis and automated enforcement across the company’s security ecosystem. The flaws, tracked as CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089, allow attackers to compromise the sandbox environment, which other Fortinet products rely on to receive threat verdicts, apply blocking rules, and trigger automated responses.

Public exploit code has now been released for all three vulnerabilities, significantly raising the risk for unpatched deployments. The most severe of the trio, CVE-2026-39813, carries a CVSS score of 9.8 and involves an improper input validation issue that can lead to remote code execution without authentication. Meanwhile, CVE-2026-39808 is a command injection flaw with a CVSS score of 8.6, and CVE-2026-25089 is a path traversal vulnerability rated at 7.5, both enabling attackers to execute arbitrary commands or access sensitive files.

Security analysts warn that because FortiSandbox is often deployed as a central decision-maker for blocking malicious traffic across firewalls and endpoint agents, a successful compromise could cascade into broader network intrusions. Organizations using FortiSandbox versions prior to the latest patches are urged to apply updates immediately, as proof-of-concept exploits are already circulating in the wild.

Fortinet has released fixes for these issues in early 2026, but many enterprises may still be running vulnerable builds. The company advises administrators to restrict management access to trusted IPs and enable multi-factor authentication where possible to mitigate exposure. Given the active exploitation and public availability of exploit code, this is not a vulnerability that can be safely ignored.