Fortinet FortiSandbox CVE-2026-39813 — actively exploited (Defused Cyber)

cve · CVE-2026-39813

Coverage timeline

first 2026-06-17 → last 2026-06-17

Briefs

1 distinct

Sources cited

32 hosts

Sections touched

updates

Co-occurring entities

see Related entities below

Story timeline

2026-06-17CTI Daily Brief — 2026-06-17
updatesFirst coverage; active exploitation in 24h window

Where this entity is cited

updates1

Source distribution

attack.mitre.org15 (26%)
thehackernews.com5 (9%)
bleepingcomputer.com3 (5%)
fortiguard.fortinet.com3 (5%)
crowdstrike.com2 (4%)
fortinet.com2 (4%)
github.com2 (4%)
helpnetsecurity.com1 (2%)
other24 (42%)

Related entities

Fortinet FortiSandbox CVE-2026-39808 — actively exploited (Defused Cyber)
cveCVE-2026-39808×1
Fortinet FortiSandbox unauthenticated OS command injection
cveCVE-2026-25089×1
FortiSandbox triple active exploitation (CVE-2026-39808/39813/25089) — simultaneous in-the-wild exploitation
campaignitem:fortisandbox-triple-active-exploitation×1
UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC (cldflt.sys CfAbortHydration, claimed CVE-2020-17103 regression on fully patched Win11)
campaignitem:windows-zero-day-proliferation-yellowkey-greenplasma-minipla×1
UPDATE: Grafana Labs CoinbaseCartel — victim confirms source-code-only theft via Pwn-Request, no customer data, ransom rejected on FBI guidance
incidentitem:grafana-labs-coinbasecartel-pwn-request-github-actions-breac×1
UPDATE: TeamPCP / Shai-Hulud — first copycat wave (OX Security npm packages w/ Phantom Bot + SSH/cloud stealers); Checkmarx Jenkins plugin trojanised (third in three months); SentinelLabs PCPJack rival worm
campaignitem:teampcp-shai-hulud-copycat-wave-ox-security-checkmarx-pcpja×1

External references

NVD · cve.org · CISA KEV

All cited sources (57)

Items in briefs about Fortinet FortiSandbox CVE-2026-39813 — actively exploited (Defused Cyber) (1)

UPDATE: FortiSandbox — three critical flaws now exploited simultaneously, including the previously disclosure-only CVE-2026-25089

From CTI Daily Brief — 2026-06-17 · published 2026-06-17 · view item permalink →

UPDATE (originally covered 2026-06-12): When CVE-2026-25089 was covered on 06-12 it was disclosure-only. Threat-intel firm Defused Cyber has now reported active exploitation of three FortiSandbox flaws within a single 24-hour window — CVE-2026-39808 (CVSS 9.8, JRPC OS command injection), CVE-2026-39813 (CVSS 9.1, JRPC path traversal / auth bypass), both with patches available since April 2026, and CVE-2026-25089 (CVSS 9.8, web-UI command injection), patched 2026-06-09 (Security Affairs, 2026-06-16).

FortiSandbox supplies sandboxed file verdicts that FortiGate, FortiMail, FortiProxy and FortiClient consume to make blocking decisions, so a compromised sandbox can suppress detection across the dependent Fortinet stack (Help Net Security, 2026-06-16). The CVE-2026-25089 exploit seen in the wild appears AI-generated and is assessed as faulty, yet still finds traction against unpatched deployments — evidence that exposed, unpatched FortiSandbox interfaces remain. Fortinet has not yet officially confirmed exploitation. Patch all three; until then, restrict management-interface exposure and watch FortiSandbox web-UI/JRPC access logs for unauthenticated external POSTs.