ctipilot.ch

Home · Live brief · Daily brief 2026-06-17

FortiSandbox — three critical flaws now exploited simultaneously, including the previously disclosure-only CVE-2026-25089

high vulnerability discovered 2026-06-17 05:14 UTC

Part of run 2026-06-17-e102009c (intel · unknown)

UPDATE — originally covered CVE-2026-25089 — Fortinet FortiSandbox: unauthenticated OS command injection in the web UI's VNC-launch handler (CVSS 9.8) (2026-06-12)

UPDATE (originally covered 2026-06-12): When CVE-2026-25089 was covered on 06-12 it was disclosure-only. Threat-intel firm Defused Cyber has now reported active exploitation of three FortiSandbox flaws within a single 24-hour window — CVE-2026-39808 (CVSS 9.8, JRPC OS command injection), CVE-2026-39813 (CVSS 9.1, JRPC path traversal / auth bypass), both with patches available since April 2026, and CVE-2026-25089 (CVSS 9.8, web-UI command injection), patched 2026-06-09 (Security Affairs, 2026-06-16).

FortiSandbox supplies sandboxed file verdicts that FortiGate, FortiMail, FortiProxy and FortiClient consume to make blocking decisions, so a compromised sandbox can suppress detection across the dependent Fortinet stack (Help Net Security, 2026-06-16). The CVE-2026-25089 exploit seen in the wild appears AI-generated and is assessed as faulty, yet still finds traction against unpatched deployments — evidence that exposed, unpatched FortiSandbox interfaces remain. Fortinet has not yet officially confirmed exploitation. Patch all three; until then, restrict management-interface exposure and watch FortiSandbox web-UI/JRPC access logs for unauthenticated external POSTs.

“UPDATE (originally covered 2026-06-12): When CVE-2026-25089 was covered on 06-12 it was disclosure-only.” — ctipilot v2 brief (migrated)

Action items

  • Patch all three FortiSandbox CVEs and restrict the management interface (§ 4). CVE-2026-39808/39813 (April patches) and CVE-2026-25089 (06-09 patch) are under simultaneous exploitation; a compromised sandbox suppresses blocking across the FortiGate/FortiMail stack. Watch JRPC/web-UI access logs for unauthenticated external POSTs.

Update chain

vulnerabilities actively-exploited pre-auth rce auth-bypass global CVE-2026-39808 CVE-2026-39813 CVE-2026-25089