Bad actors are exploiting multiple security vulnerabilities in Fortinet FortiSandbox, according to threat intelligence firm Defused Cyber.
In a post shared on X, the company said it has observed exploitation of CVE-2026-39813, CVE-2026-39808and CVE-2026-25089 over the past 24 hours.
CVE-2026-39813 (CVSS score: 9.1) refers to a path traversal vulnerability in FortiSandbox JRPC API that could allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests.
The second flaw, CVE-2026-39808 (CVSS score: 9.1), is a case of operating system command injection that could allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests. Both vulnerabilities were patched by Fortinet in April 2026.
CVE-2026-25089 (CVSS score: 9.1), on the other hand, was fixed last week, with Fortinet describing it as an operating system command injection impacting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI that could allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests.
Defused Cyber noted that the exploit for CVE-2026-25089 not only shows signs of being developed using an artificial intelligence (AI) model, but is also faulty. A working exploit for the vulnerability has not been publicly disclosed.
Vulnerabilities in Fortinet appliances have become a lightning rod for attackers in recent years. In April 2026, Fortinet released out-of-band patches for a critical security flaw impacting FortiClient EMS (CVE-2026-35616CVSS score: 9.1) that it said has been exploited in the wild.
FortiBleed Compromised Over 30,000 Fortinet Firewalls
The disclosure comes as SOCRadar disclosed suspected Russian-speaking threat actors have compromised more than 30,000 Fortinet firewalls as part of an ongoing, large-scale campaign that has systematically targeted the network security devices across 194 countries.
The cybersecurity company made the discovery after identifying an operational server associated with the activity.
“The attacker’s database contains login credentials for more than 30,791 devices belonging to companies and government organizations across 194 countries,” SOCRadar said. “These are not random guesses. These are verified, working usernames and passwords, tested and confirmed by the attackers themselves using automated tools running around the clock.”
Among the compromised access points include devices belonging to banks, telecom operators, hospitals, universities, government agencies, energy companies, and multinational corporations. India, the U.S., Mexico, Colombia, Thailand, Taiwan, Indonesia, Malaysia, Singapore, and France account for the top 10 countries, with India taking up 60% of all internet-exposed Fortinet deployments in the government sector.
“The group uses a two-step approach,” the company added. “First, they try a list of previously leaked Fortinet passwords against devices across the internet – many organizations never changed passwords after earlier breaches. Second, once inside a device, they passively monitor network traffic to collect additional credentials as they pass through. Those are then used to compromise even more devices.”
