Ethical Hacking News
Fortinet FortiSandbox vulnerabilities have been exploited by attackers, leaving millions of devices exposed to potential attacks. The discovery highlights the importance of staying up to date with security patches and implementing robust cybersecurity measures.
Multiple vulnerabilities in Fortinet FortiSandbox have been exploited, leaving millions of devices exposed to potential attacks. CVE-2026-39813 and CVE-2026-39808 are path traversal and operating system command injection vulnerabilities that can be bypassed via crafted HTTP requests. CVE-2026-25089 is an operating system command injection vulnerability that can execute unauthorized commands via specifically crafted HTTP requests. Fortinet patched the vulnerabilities in April 2026, but attackers were able to exploit the patch before it was fully implemented. Over 30,000 Fortinet firewalls have been compromised as part of a large-scale campaign by suspected Russian-speaking threat actors. The attacker's database contains login credentials for over 30,791 devices belonging to companies and government organizations across 194 countries.
Threat intelligence firm Defused Cyber has recently observed the exploitation of multiple security vulnerabilities in Fortinet FortiSandbox, leaving millions of devices exposed to potential attacks. According to the company's post shared on X, the vulnerabilities being targeted are CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089.
CVE-2026-39813 is a path traversal vulnerability in FortiSandbox JRPC API that could allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests. The second flaw, CVE-2026-39808, is a case of operating system command injection that could allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests. Both vulnerabilities were patched by Fortinet in April 2026.
CVE-2026-25089, on the other hand, was fixed last week with Fortinet describing it as an operating system command injection impacting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI that could allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests. Defused Cyber noted that the exploit for CVE-2026-25089 not only shows signs of being developed using an artificial intelligence (AI) model, but is also faulty.
This report highlights a critical vulnerability in Fortinet FortiSandbox that has been exploited by attackers, leaving millions of devices exposed to potential attacks. The vulnerability was patched by Fortinet in April 2026, but it appears that some attackers were able to exploit the patch before it could be fully implemented.
In addition to the vulnerabilities being targeted, Defused Cyber also reported that suspected Russian-speaking threat actors have compromised more than 30,000 Fortinet firewalls as part of an ongoing, large-scale campaign. The attack was discovered after identifying an operational server associated with the activity. The attacker's database contains login credentials for more than 30,791 devices belonging to companies and government organizations across 194 countries.
The cybersecurity company made the discovery after identifying an operational server associated with the activity. "The group uses a two-step approach," the company added. "First, they try a list of previously leaked Fortinet passwords against devices across the internet – many organizations never changed passwords after earlier breaches. Second, once inside a device, they passively monitor network traffic to collect additional credentials as they pass through. Those are then used to compromise even more devices."
This report highlights a critical vulnerability in Fortinet FortiSandbox that has been exploited by attackers, leaving millions of devices exposed to potential attacks. The attacker's database contains login credentials for more than 30,791 devices belonging to companies and government organizations across 194 countries.
The discovery was made by threat intelligence firm SOCRadar after identifying an operational server associated with the activity. The group is suspected to be a Russian-speaking multi-operator group conducting large-scale credential harvesting against Fortinet FortiGate SSL VPN appliances worldwide.
The attack has significant implications for organizations that use Fortinet FortiSandbox and other Fortinet devices, as well as those that have been compromised by this attack. It highlights the importance of keeping software up to date with security patches and the need for robust cybersecurity measures to protect against emerging threats.
In conclusion, the exploitation of vulnerabilities in Fortinet FortiSandbox by attackers has left millions of devices exposed to potential attacks. The discovery of a large-scale campaign targeting Fortinet firewalls and the use of artificial intelligence (AI) models to develop exploits highlight the importance of staying up to date with security patches and implementing robust cybersecurity measures.
Related Information:
https://www.ethicalhackingnews.com/articles/Fortinet-FortiSandbox-Vulnerabilities-Exploitation-by-Attackers-Leaves-Millions-Exposed-ehn.shtml
https://thehackernews.com/2026/06/attackers-exploit-three-fortinet.html
Published: Wed Jun 17 23:42:24 2026 by llama3.2 3B Q4_K_M
