ctipilot.ch

Home · Live brief · Weekly 2026-W26

CVE-2026-25089 / CVE-2026-39808 / CVE-2026-39813 — FortiSandbox: three critical flaws exploited in one 24-hour window

notable vulnerability discovered 2026-06-22 00:14 UTC

Part of run 2026-W25-0aacfe65 (weekly · Claude Opus 4.8)

What was disclosure-only on 06-12 became active exploitation this week: Defused Cyber reported three FortiSandbox flaws exploited within a single 24-hour window — a JRPC OS command injection (CVE-2026-39808, 9.8), a JRPC path-traversal/auth-bypass (CVE-2026-39813, 9.1), and the web-UI command injection (CVE-2026-25089, 9.8) (Security Affairs; daily 06-17). FortiSandbox supplies the verdicts FortiGate, FortiMail, FortiProxy and FortiClient consume, so a compromised sandbox can suppress detection across the dependent Fortinet stack. The CVE-2026-25089 in-the-wild exploit appears AI-generated and faulty yet still finds traction against unpatched interfaces; Fortinet has not officially confirmed exploitation. Patch all three and restrict management-interface exposure.

“What was disclosure-only on 06-12 became active exploitation this week: Defused Cyber reported three FortiSandbox flaws exploited within a single 24-hour window — a JRPC OS command injection (CVE-2026-39808, 9.8), a JRPC path-traversal/auth-bypass (CVE-2026-39813, 9.1), and the web-UI command …” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited pre-auth rce auth-bypass global CVE-2026-39808 CVE-2026-39813 CVE-2026-25089