Critical FortiSandbox Exploits Threaten Enterprise Security Trust Chains
Attackers gained unauthenticated root on FortiSandbox, the verdict engine behind enterprise security stacks.

CISA confirmed on July 16, 2026, that two critical command injection flaws in Fortinet's FortiSandbox threat-analysis platform are being actively exploited in real-world attacks. Federal civilian agencies have until Sunday, July 19 to apply vendor patches or pull affected systems offline entirely. What makes the window this narrow is what FortiSandbox actually is: not a web application or a management console, but the appliance that delivers threat verdicts to every other product in an organization's Fortinet security stack — firewalls, email gateways, endpoint agents, SIEMs, and automated response platforms all trust its output. Owning FortiSandbox means forging those verdicts.
The new CISA directive lands against an already alarming backdrop: the FortiBleed campaign, running since at least February 2026, has assembled verified administrator credentials for more than 86,644 internet-facing FortiGate firewalls across 194 countries. Researchers attribute that operation to the Lynx/INC ransomware group, and at least 12 confirmed ransomware deployments have already been traced directly to credentials harvested through it.
The two campaigns are not parallel threats. Attackers who already hold FortiGate credentials from FortiBleed sit on administrative segments where FortiSandbox is often reachable — making the two campaigns potential sequential stages of a single kill chain rather than independent incidents.
Why FortiSandbox Is Such a High-Value Target
FortiSandbox occupies an unusually privileged position in enterprise security architectures. Organizations deploy it to detonate suspicious files, URLs, and email attachments in an isolated environment, returning clean or malicious verdicts that downstream Fortinet products rely on to make blocking decisions or trigger automated responses. A FortiGate firewall consults FortiSandbox's verdict before deciding whether to pass or block a file. A FortiMail gateway waits for a sandboxing result before releasing an email attachment. A FortiSOAR playbook may fire only when the sandbox says an alert is real.
A compromised FortiSandbox breaks this chain in two ways simultaneously: it gives attackers a high-privilege foothold on an appliance woven into the entire security fabric, and it hands them the ability to manipulate the verdicts those other products act on — silently marking malicious payloads as clean to clear the way for subsequent intrusion stages. Unlike compromising a workstation or even a perimeter firewall, compromising FortiSandbox corrupts the trust authority itself.
CVE-2026-39808 and CVE-2026-25089: Two Unauthenticated Paths to Root
Both flaws share the same underlying weakness: OS command injection (CWE-78), arising from insufficient sanitization of user-supplied input before it is passed to the system's command interpreter. Neither requires a valid username or password. Neither requires a victim to interact with anything. Both can be exploited remotely over HTTP.
CVE-2026-39808 (CVSS 9.1), disclosed April 14, 2026, resides in the FortiSandbox API component at the /fortisandbox/job-detail/tracer-behavior endpoint. The vulnerable parameter is jid — a GET parameter that the application passes to an OS process without stripping shell metacharacters. An attacker injects a pipe character followed by arbitrary commands and the system executes them as root. A single curl command is sufficient to achieve full system control. The flaw was discovered by Samuel de Lucas Maroto from KPMG Spain in November 2025 and reported to Fortinet through responsible disclosure before the April patch. A public proof-of-concept exploit has been available on GitHub since the April disclosure. The fix is FortiSandbox 4.4.9 or later.
CVE-2026-25089 (CVSS 9.1), disclosed June 9, 2026, was discovered by Adham El Karn of Fortinet's own Product Security team. It targets the FortiSandbox web UI rather than the API endpoint, and its blast radius is broader: it affects FortiSandbox 4.2.x across all sub-versions, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 5.0.0 through 5.0.5, FortiSandbox Cloud versions 5.0.4 through 5.0.5, and FortiSandbox PaaS versions 5.0.4 through 5.0.5. Its reach into cloud and platform-as-a-service deployments makes it particularly significant for organizations that have moved sandboxing workloads off-premises. The fix is FortiSandbox 4.4.9 or 5.0.6.
CISA has marked the ransomware association status for both flaws as "Unknown," meaning neither has been definitively linked to a ransomware campaign as of July 17. CISA's KEV listing supersedes vendor silence: inclusion in the catalog means the agency has independent evidence of real-world exploitation, even when the vendor's own advisories have not been updated.
Active Exploitation: Real but Asymmetric
Threat intelligence firm Defused reported observing exploitation attempts against both CVEs — alongside a third FortiSandbox flaw, CVE-2026-39813 (a path traversal vulnerability disclosed in April) — in the 24 hours preceding CISA's July 16 catalog update. CrowdSec's Network had earlier identified 49 unique malicious IP addresses probing CVE-2026-39808 as of mid-June 2026, when the first exploitation attempts were detected.
The two CVEs are not symmetrically risky. CVE-2026-39808 has a publicly documented working exploit that has been available since April. CVE-2026-25089, while broader in scope, has no confirmed functional public exploit as of this writing — Defused characterized the observed exploit code as "vibecoded," informal shorthand for AI-assisted code that appears to be poorly written and likely faulty. That assessment may not hold for long. Help Net Security noted in June that AI tooling is accelerating the timeline between vulnerability disclosure and functional weaponization across the security industry.
Fortinet had not updated its advisories to mark either flaw as exploited as of July 17, 2026, and did not respond to media inquiries from BleepingComputer and The Register.
FortiBleed's Expanding Campaign: From Perimeter to Sandbox
The FortiSandbox disclosures do not exist in isolation. Since at least February 2026, the campaign now known as FortiBleed has systematically harvested administrator and VPN credentials from internet-facing FortiGate firewalls at a scale that has no precedent in Fortinet's history. SOCRadar's investigation identified an operational server belonging to the threat actor group and traced a five-stage attack chain: large-scale reconnaissance with Masscan and Shodan across 59.3 million hosts, SSH brute-force against admin accounts, deployment of a custom Golang-based sniffer, offline hash cracking, and targeted exfiltration.
The sniffer, which SOCRadar named FortigateSniffer (tracked as fg_sniffer), abuses FortiOS's own legitimate diagnostic command diagnose sniffer packet to passively intercept authentication traffic across 24 protocols including RADIUS, NTLM, Kerberos, LDAP, SMB, and RDP — without deploying any traditional malware and without generating most conventional alerts. Captured hashes were cracked offline through a distributed GPU cluster managed via Hashtopolis and Hashcat. Security researcher Volodymyr Diachenko, who examined the exposed infrastructure, described a 45-GPU rig capable of turning a strong eight-character password into a solved hash within hours.
By June 19, 2026, the verified credential database stood at 86,644 FortiGate devices across 194 countries — representing roughly half of all internet-facing Fortinet hardware. Government entities accounted for 591 entries across 111 domains. Telecom firms were the hardest-hit sector by volume. At least one NATO-aligned defense contractor confirmed targeted data exfiltration.
SOCRadar attributed FortiBleed to operators linked to the Lynx/INC ransomware group, a Russian-speaking criminal operation active since 2023. At least 12 confirmed ransomware deployments have been directly traced to FortiBleed-sourced credentials. The campaign is not a one-time credential dump — it is an ongoing, industrialized harvesting operation, with new devices still being added to the attacker database as of July 17, 2026.
What makes the FortiSandbox escalation strategically significant is the network topology: FortiSandbox appliances typically reside on the same administrative management network as the FortiGate firewalls FortiBleed already compromised. An attacker holding valid FortiGate admin credentials does not need a new exploit to reach FortiSandbox — they may already have network-level access to the segment where it runs. The two campaigns are not parallel events but potentially sequential stages of the same operation.
What Organizations Should Do Now
Federal agencies operating FCEB systems must comply with the July 19 deadline under BOD 26-04. Agencies that cannot patch in time must apply available mitigations or take affected systems offline. CISA directs organizations to review its Forensics Triage Requirements before remediating any system suspected of compromise, in order to preserve evidence for incident analysis.
All other organizations with FortiSandbox deployments should treat these as immediate patching priorities regardless of the federal mandate. Fortinet's recommended remediation path is:
| Product | CVE | Vulnerable Versions | Patched Version |
|---|---|---|---|
| FortiSandbox | CVE-2026-39808 | 4.4.0–4.4.8 | 4.4.9 or later |
| FortiSandbox | CVE-2026-25089 | 4.4.0–4.4.8 | 4.4.9 or later |
| FortiSandbox | CVE-2026-25089 | 5.0.0–5.0.5 | 5.0.6 or later |
| FortiSandbox | CVE-2026-25089 | All 4.2.x | 4.4.9 or 5.0.6 |
| FortiSandbox Cloud | CVE-2026-25089 | 5.0.4–5.0.5 | Vendor-issued update |
| FortiSandbox PaaS | CVE-2026-25089 | 5.0.4–5.0.5 | Vendor-issued update |
Organizations running FortiGate hardware should also complete FortiBleed remediation if they have not already done so: update to the latest FortiOS release, force all administrators to log in and re-authenticate to trigger credential re-hashing under PBKDF2 (simply patching firmware does not re-hash existing credential entries — an admin login is required to activate the new storage format), enforce multi-factor authentication on all external management interfaces, and audit authentication logs for sessions that cannot be attributed to known administrators.
In total, CISA tracks 28 Fortinet vulnerabilities confirmed exploited in attacks in recent years, 13 of which have been directly linked to ransomware campaigns. The FortiSandbox additions bring that total to at least 30, and for defenders already stretched by FortiBleed remediation, Sunday's deadline is not optional.
Frequently Asked Questions
What does FortiSandbox actually do, and why does compromising it matter more than compromising a firewall?
FortiSandbox is a dedicated malware analysis appliance that detonates suspicious files, URLs, and email attachments inside isolated virtual machines and returns a threat verdict — clean or malicious — to the Fortinet products that depend on it, including FortiGate firewalls, FortiMail email security, FortiClient endpoint agents, and FortiSOAR automation platforms. Compromising a single firewall gives an attacker access to traffic passing through that device. Compromising FortiSandbox gives an attacker the ability to manipulate the verdicts that all of those downstream products act on — letting them certify their own malware as clean and silently disable protections across the entire security stack.
What is the specific technical flaw in CVE-2026-39808, and how hard is it to exploit?
CVE-2026-39808 is an OS command injection flaw (CWE-78) in the FortiSandbox API at the /fortisandbox/job-detail/tracer-behavior endpoint. The application passes user-supplied input from the jid GET parameter directly to an OS command interpreter without stripping shell metacharacters. An attacker injects a pipe character followed by any shell command, and the system executes it with root privileges. A single unauthenticated HTTP request — one curl command — is sufficient to achieve full system control. A working public proof-of-concept exploit has been available on GitHub since April 2026, meaning any attacker with network access to an unpatched FortiSandbox instance can compromise it without prior knowledge of the environment.
If my organization completed FortiBleed remediation, are we still at risk from these FortiSandbox CVEs?
Yes. FortiBleed targeted FortiGate firewalls via credential theft. The FortiSandbox CVEs are direct exploits of newly disclosed vulnerabilities in a different product. Completing FortiBleed remediation — patching FortiOS, rotating credentials, enforcing MFA — does not patch FortiSandbox. These two remediation tracks are separate and both are required. Additionally, because FortiSandbox appliances typically reside on the same administrative network segment as compromised FortiGate devices, attackers who still hold active FortiBleed credentials may already have network-level access to FortiSandbox, making patching FortiSandbox urgent even for organizations that believe their FortiGate remediation is complete.
Does the July 19 patch deadline apply to private companies, or only to federal agencies?
BOD 26-04 is a binding directive that legally applies only to Federal Civilian Executive Branch agencies. The July 19 deadline is a federal compliance requirement, not a mandate on private organizations. However, CISA strongly urges all organizations running FortiSandbox to treat these flaws as immediate patching priorities regardless of sector. CVE-2026-39808 has a publicly available working exploit, active exploitation is confirmed, and the targeted appliance's privileged position in enterprise security architectures makes delayed patching a strategic risk disproportionate to the remediation effort required.
Originally published on Tech Times
























