The tool you bought to catch malware is now being used as a foothold. Attackers started exploiting Fortinet FortiSandbox on June 15 — six weeks after patches were released.
The tool you bought to catch malware is now being used as a foothold. Attackers started exploiting Fortinet FortiSandbox on June 15 — six weeks after patches were released.
Three critical vulnerabilities. All three actively exploited.
FortiSandbox is enterprise malware analysis infrastructure. You send suspicious files to it. It detonates them in isolation. It tells your SOC what it found. It has elevated network access to both clean and quarantine environments.
Here is the real issue: CVE-2026-39813 (CVSS 9.1) requires zero credentials. An attacker who can reach port 443 — almost always accessible — sends a crafted POST request to the JRPC API and injects path traversal sequences. Result: full access to configuration backups, serial numbers, version data, and administrative credentials. No login. No phishing. No inside access needed.
Two additional CVEs (CVE-2026-39808 and CVE-2026-25089) are being chained in observed attacks.
Patches were available since April 2026. The exploitation window opened six weeks later, once attackers had time to weaponize the published advisories. This is now the third Fortinet security product actively exploited in 2026. FortiGate firewalls in February. FortiClient EMS endpoint manager in June. FortiSandbox this week.
Affected versions: FortiSandbox 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5. Fix: upgrade to 4.4.9+ or 5.0.6+.
What to do next:
Check your FortiSandbox version now. Isolate management access to FortiSandbox from internet-facing segments until patched. Review access logs on port 443 from June 15 onward for requests to the /jsonrpc/ endpoint.
Security tools are not immune to their own vulnerability lifecycle. They just get less scrutiny than production systems — and attackers know it.
Links for a deeper technical dive are in the comments.
For those who want a deeper dive into this topic:
