CISA has added two critical Fortinet FortiSandbox vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, warning that attackers are actively exploiting the flaws in real-world attacks.
The vulnerabilities, identified as CVE-2026-39808 and CVE-2026-25089, allow unauthenticated attackers to execute unauthorized operating system commands through specially crafted HTTP requests.
Both issues are classified as OS command injection vulnerabilities (CWE-78), which occur when an application fails to properly sanitize user-controlled input before passing it to an operating system command interpreter.
Successful exploitation can enable attackers to run arbitrary commands on vulnerable devices without needing valid credentials. CVE-2026-39808 affects Fortinet FortiSandbox directly.
According to CISA, this flaw could allow a remote, unauthenticated attacker to execute unauthorized code or commands by sending crafted HTTP requests to the targeted device.
The second vulnerability, CVE-2026-25089, has a broader impact, affecting not only FortiSandbox but also FortiSandbox Cloud and FortiSandbox PaaS environments.
FortiSandbox OS Injection Vulnerabilities Exploited
Like the first vulnerability, it can be exploited remotely by unauthenticated attackers through specially crafted HTTP requests, potentially allowing direct command execution on affected systems.
FortiSandbox is utilized by organizations to detect and analyze suspicious files, URLs, and malware in isolated environments.
Since these systems often handle potentially malicious content and may be integrated with broader security infrastructure, a compromise could give attackers a significant foothold within an organization’s network.
CISA added both vulnerabilities to the KEV Catalog on July 16, 2026, confirming that they have been exploited in attacks.
Federal Civilian Executive Branch agencies must implement vendor-provided mitigations by July 19, 2026, in accordance with Binding Operational Directive BOD 26-04.
This short remediation timeline reflects the considerable risk posed by vulnerabilities that are actively exploited and accessible on the internet.
Although CISA has not confirmed whether these vulnerabilities have been used in ransomware campaigns, organizations should treat them as high-priority threats.
Threat actors often exploit command injection flaws to deploy web shells, collect credentials, move laterally across networks, turn off security tools, or install malware.
Administrators are urged to promptly review Fortinet’s advisories and apply all available security updates and mitigations.
Organizations utilizing FortiSandbox Cloud or FortiSandbox PaaS should also ensure their service deployments comply with necessary patching and mitigation requirements.
Security teams should identify all internet-facing FortiSandbox assets, restrict access to management interfaces, review HTTP logs for unusual or malformed requests, and investigate any unexpected command executions or new administrative accounts.
Additionally, they should follow CISA’s forensic triage requirements to assess whether systems were compromised before remediation.
If patches or mitigations are unavailable, CISA recommends that organizations adhere to relevant cloud service guidance or discontinue use of the affected products until the risks are addressed.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post CISA Warns of Fortinet FortiSandbox OS Injection Vulnerabilities Exploited in Attacks appeared first on Cyber Security News.



