UK’s trusted IT infrastructure partner since 2003
Servnet
FinanceToolsConfiguratorGet in Touch
Cyber security

FortiSandbox CVE Patch CISA 2026: UK Action Needed

London · Servnet News Desk · IT infrastructure analysis3 min read
Share

Two critical FortiSandbox vulnerabilities, now confirmed under active exploitation and added to CISA's Known Exploited Vulnerabilities catalog, leave threat-detection appliances exposed to unauthenticated remote command execution. UK infrastructure buyers running FortiSandbox on-premises, in the cloud, or as PaaS should treat patching as immediate, not scheduled maintenance.

FortiSandbox patch and exploitation timeline, 2026
W0W3W6W9W12W15W16April patches: CVE-2026-3…1w9 June patch for…1wActive exploitation of…1wCISA adds two CVEs to KEV…2wTotal: 16 weeks end-to-end
View the data behind this chart
FortiSandbox patch and exploitation timeline, 2026
PhaseStarts (week)Duration (weeks)
April patches: CVE-2026-3981…01
9 June patch for CVE-2026-25…81
Active exploitation of all…91
CISA adds two CVEs to KEV…142

What's actually happening

Attackers are actively exploiting two critical Fortinet FortiSandbox vulnerabilities, CVE-2026-39808 and CVE-2026-25089, both rated CVSS 9.1. Both are OS command injection flaws that let an unauthenticated attacker execute arbitrary commands via a specially crafted HTTP request — no credentials, no user interaction, no social engineering required. The flaws affect FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI, meaning appliance owners, cloud tenants and PaaS customers are all in scope.

A third critical bug, CVE-2026-39813 (also CVSS 9.1), is a path traversal and authentication bypass in the FortiSandbox JRPC API, allowing unauthenticated attackers to read arbitrary files. Threat intelligence firm Defused reported observing exploitation of all three CVEs within a single 24-hour window, noting activity began over a weekend — a pattern that has become disturbingly familiar with edge security appliances.

The patch timeline UK teams need to understand

Fortinet's fix rollout happened in two stages, which matters for anyone auditing patch coverage. CVE-2026-39813 and CVE-2026-39808 were patched in April 2026, with fixes landing in FortiSandbox 4.4.9 and 5.0.6; at that point Fortinet reported no evidence of active exploitation. CVE-2026-25089 followed on 9 June 2026, closing the gap across FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS. It was only in mid-June that exploitation activity was first observed and reported publicly — meaning organisations that delayed either patch window are now sitting on appliances with confirmed, weaponised vulnerabilities.

CVSS 9.1 across the board: comparing the three flaws

All three FortiSandbox vulnerabilities carry the maximum practical severity rating short of a perfect score, but they differ in mechanism and exploit maturity. Understanding which is which helps prioritise verification during patch audits.

    Illustration: FortiSandbox CVE Patch CISA 2026: UK Action Needed

    Why CISA's KEV listing matters even outside the US

    CISA has added CVE-2026-39808 and CVE-2026-25089 to its Known Exploited Vulnerabilities catalog, which by policy confirms the agency holds evidence of active exploitation — though it rarely discloses how widespread that exploitation is or attributes it to specific actors. The KEV listing triggers a binding operational directive requiring US federal agencies to patch by a set deadline. UK organisations aren't bound by that directive, but the listing is a reliable, independently verified signal that these bugs are being weaponised now, not theoretically. Any UK buyer treating KEV inclusion as 'someone else's problem' is misreading what the catalog is actually telling them.

    FortiSandbox appliances typically sit at a network's inspection chokepoint, analysing suspicious files and traffic — which makes an unauthenticated command injection there especially dangerous, since a compromised sandbox can become a pivot point into the very network it was meant to protect.

    What UK infrastructure buyers should do now

    Confirm FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS instances are running 4.4.9 or later (or 5.0.6 where applicable) and that the June 9 update covering CVE-2026-25089 has been applied — patch version alone doesn't guarantee all three fixes are present if updates were applied piecemeal. Teams managing broader Fortinet estates should learn more about Fortinet's security offerings to understand how sandbox appliances fit into wider FortiGate and FortiSandbox architectures, and should enhance your vulnerability management strategy to catch the gap between disclosure and patch deployment that attackers keep exploiting. Organisations running end-of-support or delayed-refresh sandbox hardware should also explore third-party maintenance for your Fortinet appliances to keep coverage current without waiting on a full refresh cycle.

    Given that exploitation was detected within days of the final patch shipping, relying solely on vendor patch cadence is no longer sufficient. Buyers should consider managed detection and response (MDR) services to catch post-exploitation behaviour on sandbox appliances that may already have been probed before patches were applied.

    The bigger picture for UK cyber resilience

    This is another entry in a growing pattern of critical, unauthenticated, remotely exploitable flaws in perimeter and inspection appliances — the exact class of kit that's supposed to catch attackers, not admit them. For UK buyers, the practical lesson is that threat-detection infrastructure needs the same patch discipline, asset inventory and exploitation monitoring as any internet-facing firewall, and that a three-week gap between the final patch and confirmed in-the-wild exploitation is now a realistic threat window, not a hypothetical one.

    Share
    Key takeaways
    • CVE-2026-39808 and CVE-2026-25089 (both CVSS 9.1) are actively exploited and now on CISA's KEV catalog
    • A third flaw, CVE-2026-39813 (CVSS 9.1), is a path traversal/auth bypass also under active exploitation reports
    • Patches exist for all three: April 2026 (4.4.9/5.0.6) and 9 June 2026 for CVE-2026-25089 — verify all are applied, not just one
    • Sandbox appliances sit at network inspection chokepoints, so a compromise here can pivot deeper into protected networks
    Frequently asked

    FAQs — FortiSandbox CVE Patch CISA 2026

    Which FortiSandbox versions are affected by these CVEs?

    FortiSandbox versions 4.4.0 through 4.4.8 are affected by CVE-2026-39808, with fixes available in 4.4.9 and above. FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI are all affected by CVE-2026-25089, patched on 9 June 2026. CVE-2026-39813 is fixed in FortiSandbox 4.4.9 and 5.0.6.

    Are these vulnerabilities confirmed to be exploited, or just theoretical risk?

    CISA has added CVE-2026-39808 and CVE-2026-25089 to its Known Exploited Vulnerabilities catalog, confirming active exploitation. Threat intelligence firm Defused separately reported observing exploitation of all three CVEs, including CVE-2026-39813, within a 24-hour window.

    Does CISA's patch order apply to UK organisations?

    CISA's binding operational directive legally applies only to US federal agencies, but UK organisations should treat KEV inclusion as strong independent confirmation of active exploitation and patch accordingly. Reviewing your vulnerability management strategy against KEV entries is good practice regardless of jurisdiction.

    What should teams do if they can't patch FortiSandbox immediately?

    Restrict administrative and API access to trusted networks, monitor for anomalous HTTP requests, and consider managed detection and response to spot post-exploitation activity while patching is scheduled.

    Related

    Turning this into a buying decision?

    One conversation with an engineer who's specced this before. No sales script.

    Talk to Servnet →

    Talk to a UK specialist

    Get expert advice or a no-obligation quote — servers, storage, networking, maintenance, finance and cloud. We reply the same working day.

    or call 0800 987 4111