Attackers hit pair of critical Fortinet vulnerabilities the vendor disclosed in April

Staff Editor 2026-06-17
Attackers hit pair of critical Fortinet vulnerabilities the vendor disclosed in April

Attackers hit pair of critical Fortinet vulnerabilities the vendor disclosed in April

https://cyberscoop.com/fortinet-fortisandbox-vulnerabilities-exploits/

Publish Date: 2026-06-17 11:45:00

Source Domain: cyberscoop.com

Attackers are actively exploiting a pair of critical Fortinet vulnerabilities in FortiSandbox, a security product customers use to identify and defend against emerging threats across their network, according to researchers.

Fortinet disclosed and patched the vulnerabilities — CVE-2026-39808 and CVE-2026-39813 — in April, but it hasn’t confirmed exploitation. The company did not respond to a request for comment. 

VulnCheck said it first observed exploitation of CVE-2026-39808, an OS-command injection vulnerability, on June 9. Researchers at threat intelligence firm Defused confirmed exploitation of the same defect June 11, and observed exploitation of CVE-2026-39813, a path-traversal vulnerability, on June 15. 

Simo Kohonen, founder and CEO of Defused, said the firm observed 49 exploitation events from 11 distinct IPs against the pair of defects over a six-day period. Attackers are also attempting to exploit a third FortiSandox vulnerability, CVE-2026-25089, which Fortinet disclosed and patched June 9, he added.

Researchers haven’t determined how many Fortinet customers are directly impacted, yet post-exploitation activity thus far, which includes verification and reconnaissance, usually precedes a heavier wave of attacks, Kohonen said. 

Defused traced the malicious activity to 13 sources originating from nine countries, including China, South Korea, Taiwan, India, Singapore, Germany, the Netherlands, Canada and Bulgaria. 

“The spread and the share proof-of-concepts point to multiple independent operators on commodity infrastructure, not one campaign,” Kohonen told CyberScoop.

Researchers said they haven’t observed evidence attackers are chaining the vulnerabilities together, but the exploits are functioning with one another by bypassing authentication, escalating privileges and allowing attackers to execute arbitrary commands.

The exploits, which multiple research firms have observed in honeypots, mark the…

Source

More Stories

Metro Atlanta city discloses cybersecurity incident – WSB-TV Channel 2

Metro Atlanta city discloses cybersecurity incident – WSB-TV Channel 2

Staff Editor 2026-06-20
Unfixable security flaw affects seven iPhone models

Unfixable security flaw affects seven iPhone models

Staff Editor 2026-06-20
New Prinz Eugen ransomware prioritizes recent files for encryption

New Prinz Eugen ransomware prioritizes recent files for encryption

Staff Editor 2026-06-20

Terms and Conditions - Privacy Policy