Three recently patched Fortinet FortiSandbox vulnerabilities, including CVE-2026-39808, CVE-2026-39813, and CVE-2026-25089, are being actively exploited in the wild, with defenders also observing attacks against FortiClient EMS flaws. Separately, SOCRadar says the FortiBleed campaign has compromised more than 30,000 Fortinet firewalls and VPN gateways across over 190 countries, with attackers harvesting credentials and using them to expand access. #Fortinet #FortiSandbox #FortiClientEMS #FortiBleed #CVE-2026-39808 #CVE-2026-39813 #CVE-2026-25089 #CVE-2026-21643 #CVE-2026-35616
Keypoints
- Defused detected in-the-wild exploitation of three Fortinet FortiSandbox vulnerabilities.
- CVE-2026-39813 enables authentication bypass and was rated critical.
- CVE-2026-39808 is a command injection flaw that can lead to arbitrary code execution.
- CVE-2026-25089 lets unauthenticated attackers run arbitrary commands on vulnerable appliances.
- SOCRadar says the FortiBleed campaign has compromised more than 30,000 Fortinet firewalls and VPN gateways.