CVE-2026-25089 / CVE-2026-39808 / CVE-2026-39813 — FortiSandbox: three critical flaws exploited in one 24-hour window

What was disclosure-only on 06-12 became active exploitation this week: Defused Cyber reported three FortiSandbox flaws exploited within a single 24-hour window — a JRPC OS command injection (CVE-2026-39808, 9.8), a JRPC path-traversal/auth-bypass (CVE-2026-39813, 9.1), and the web-UI command injection (CVE-2026-25089, 9.8) (Security Affairs; daily 06-17). FortiSandbox supplies the verdicts FortiGate, FortiMail, FortiProxy and FortiClient consume, so a compromised sandbox can suppress detection across the dependent Fortinet stack. The CVE-2026-25089 in-the-wild exploit appears AI-generated and faulty yet still finds traction against unpatched interfaces; Fortinet has not officially confirmed exploitation. Patch all three and restrict management-interface exposure.