CISA Orders Urgent Patch for Actively Exploited Fortinet Flaws

▼ Summary
– Two critical OS command injection vulnerabilities in Fortinet’s FortiSandbox, CVE-2026-39808 and CVE-2026-25089, have been exploited in the wild, each with a CVSS severity rating of 9.1.
– CISA added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on July 16 and urged federal agencies to apply patches by July 19.
– CVE-2026-39808 affects FortiSandbox versions 4.4.0 to 4.4.8 and allows an attacker to execute unauthorized code; Fortinet released a patch in version 4.4.9.
– CVE-2026-25089 affects multiple FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS versions, allowing an unauthenticated attacker to execute commands via crafted HTTP requests; patches were released in versions 4.4.9 and 5.0.6.
– CISA has not confirmed whether the vulnerabilities have been used in ransomware campaigns.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive to patch two critical security flaws in Fortinet’s FortiSandbox platform, following confirmation of active exploitation in the wild. Both vulnerabilities carry a CVSS severity score of 9.1, placing them among the most dangerous threats currently facing federal networks.
On July 16, CISA added CVE-2026-39808 and CVE-2026-25089 to its Known Exploited Vulnerabilities (KEV) catalog, citing clear evidence that attackers are already leveraging them. Federal civilian agencies are required to apply the necessary patches by July 19, though the agency strongly recommends that all organizations using affected products act immediately.
The first flaw, CVE-2026-39808, was discovered by Samuel de Lucas Maroto, a security researcher at KPMG Spain, and publicly disclosed by Fortinet on April 14. This OS command injection vulnerability impacts FortiSandbox versions 4.4.0 through 4.4.8. Successful exploitation allows an attacker to execute unauthorized code or commands on the system. Fortinet has released a fix with FortiSandbox version 4.4.9.
The second bug, CVE-2026-25089, was identified internally by Fortinet Product Security researcher Adham El Karn and disclosed on June 9. It affects a broader range of products, including FortiSandbox versions 5.0.0 to 5.0.5, 4.4.0 to 4.4.8, and all 4.2 versions, as well as FortiSandbox Cloud and FortiSandbox PaaS versions 5.0.4 to 5.0.5. This vulnerability enables an unauthenticated attacker to execute unauthorized commands by sending specially crafted HTTP requests. Patches are available in FortiSandbox versions 4.4.9 and 5.0.6.
CISA’s directive requires federal agencies to apply all available mitigations and patches. For cloud-based deployments where fixes are not yet available, agencies must discontinue use of the product. While CISA has not confirmed whether these flaws have been tied to ransomware campaigns, the agency’s swift action underscores the serious risk they pose to critical infrastructure and government operations.
(Source: Infosecurity Magazine)




