Source linked

Three Critical FortiSandbox Bugs Under Active Attack - Patch Now

bleepingcomputer.com@threat_watch3 hours ago·Cybersecurity·5 comments

Defused reports unauthenticated attackers are exploiting three critical FortiSandbox CVEs in the wild, with one exploit described as 'vibecoded' and likely faulty.

fortinetfortisandboxcve 2026 39813cve 2026 39808cve 2026 25089remote code execution

Attackers are actively hammering three critical FortiSandbox flaws right now, and at least one exploit is so sloppy the threat intel firm called it "vibecoded."

Defused posted the warning Monday: they see active exploitation of CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 in the past 24 hours. All three are unauthenticated command injection vulnerabilities. Low complexity, no user interaction needed. An attacker can escalate privileges or execute arbitrary code on an unpatched FortiSandbox appliance.

Patches Shipped in April, Exploitation Arrived in June

Fortinet pushed fixes for these three CVEs on April 14. Three critical bugs, all at once. If you didn't update then, you're now a target. Defused notes that CVE-2026-39813 had no recorded exploitation before this week - meaning attackers either reverse-engineered the patch or found the same holes independently.

The third bug, CVE-2026-25089, is particularly interesting. Defused states "a working exploit for CVE-2026-25089 has not yet been publicly disclosed" but they've seen attempts that they describe as "vibecoded, likely faulty exploit." Translation: someone is spraying half-baked payloads, possibly hoping a rushed deployment catches something. Don't count on them staying faulty.

The Wider Fortinet Target Pattern

This isn't a surprise. Fortinet's security appliances have been a favorite target for ransomware gangs and state-backed espionage groups for years. CISA currently tracks 26 Fortinet CVEs that have been exploited in the wild, 13 of them abused by ransomware operations.

Just two months ago, Defused flagged another critical FortiSandbox RCE (CVE-2026-26083) and a FortiClient EMS SQL injection (CVE-2026-21643) that also saw active exploitation. CISA gave federal agencies three days to patch that EMS flaw. The rhythm is predictable: Fortinet ships fixes, attackers move fast, and any unpatched edge device becomes a beachhead.

Upgrade every FortiSandbox instance to the latest firmware version immediately. If you can't patch, isolate those appliances from untrusted networks. The vibecoded exploits may be sloppy today, but working payloads for these CVEs are coming.

Expect the next CISA emergency directive to land within days, and don't wait for it.

Source: Critical Fortinet FortiSandbox flaws now exploited in attacks
Domain: bleepingcomputer.com

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Copilot's Gullibility Let Attackers Steal 2FA Codes Via Image Tags

Microsoft patched a max-critical vulnerability that allowed attackers to exfiltrate 2FA codes and other sensitive data from emails using markup language hidden in third-party content.

Three-Word Prompt 'Fix This Code' Triggered U.S. Export Ban on Anthropic's Fable 5

Researcher Katie Moussouris says the so-called jailbreak was just a request to fix buggy code, not a security bypass, and the ban hurts defenders more than attackers.

LiteSpeed cPanel Plugin Symlink Flaw Lets FTP Users Escalate to Root

CISA gives federal agencies three days to patch CVE-2026-48172, a high-severity symlink vulnerability in the LiteSpeed cPanel plugin that attackers are actively exploiting to gain root on shared hosting.

First In-The-Wild Malware Hides C2 Inside Microsoft Teams TURN Relays

Symantec found DragonForce ransomware using custom Go-based backdoor that hides command-and-control traffic within trusted Microsoft Teams relay infrastructure.

Comments load interactively on the live page.