HomeMalware & ThreatsCISA Includes FortiSandbox Vulnerabilities in KEV Catalog

CISA Includes FortiSandbox Vulnerabilities in KEV Catalog

Published on

spot_img

Incident & Breach Response,
Security Operations

Agencies Have Until Sunday to Patch Two Critical Command Injection Flaws

CISA Includes FortiSandbox Vulnerabilities in KEV Catalog
Image: Shutterstock/ISMG

The urgency within the cybersecurity landscape has heightened due to recent developments involving Fortinet’s firewall products. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially included two critical vulnerabilities threatening the Fortinet product, FortiSandbox, in its Known Exploited Vulnerabilities catalog as of Thursday. This move underlines the pressing need for organizations to address these vulnerabilities promptly.

The two critical severity flaws, identified as CVE-2026-39808 and CVE-2026-25089, directly impact FortiSandbox, which is specifically designed to provide isolated environments for testing suspicious or unknown files prior to their execution. Fortinet has already issued fixes for both vulnerabilities, the first being addressed in April and the second in June.

CISA has emphasized the critical nature of these flaws, explaining that vulnerabilities within Fortinet FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS allow unauthenticated attackers to execute unauthorized commands via specially crafted HTTP requests. In light of this, government agencies have been urged to apply the patches by Sunday to prevent potential exploitations.

Although Fortinet has yet to confirm the exploitation of these vulnerabilities, reports from the threat intelligence firm Defused indicate that attempts to exploit these flaws surfaced as early as mid-June. According to Defused, evidence suggests that multiple FortiSandbox vulnerabilities were being actively exploited, including CVE-2026-39808 and CVE-2026-25089, alongside a third vulnerability.

In recent communications on social media platform X, Defused reported that there were active exploits for these vulnerabilities observed in the previous 24 hours. This situation follows the disturbing trend of the recent FortiBleed credential-harvesting campaign that resulted in the compromise of over 430,000 FortiGate firewalls by exploiting previously disclosed vulnerabilities, which had not yet been patched. Compounding this issue, Fortinet disclosed a new vulnerability affecting FortiSandbox that came to light in their latest patch release on Tuesday.

Experts in the cybersecurity sector have expressed concerns about the implications of these vulnerabilities. John Bambenek, president of Bambenek Consulting, remarked that even after vulnerabilities are disclosed, threat actors persist in developing exploits in the weeks and months that follow. This reality poses a significant challenge, especially for network and adjacent devices that may not receive immediate attention from security engineers for rapid patching efforts.

Highlighting the critical function of FortiSandbox, Paul Asadoorian, a principal security researcher at Eclypsium, explained that this system should serve as a controlled environment where malware can be analyzed safely. However, the existence of such vulnerabilities means that attackers could potentially execute commands without the need for credentials, which poses grave risks, allowing adversaries insight into what defenders are analyzing. This could serve as a pathway to further infiltrate networks and systems.

Focusing on the specifics of CVE-2026-25089, experts from network monitoring firm Arctic Wolf have indicated that the core issue stems from improper sanitization of user-supplied input utilized for OS command execution, particularly noted in the “Start VNC” web UI feature. This can lead to remote code execution, complete system compromise, and potentially grant access to sensitive sandboxed data. Such vulnerabilities are particularly concerning as they can be easily weaponized, especially on appliances exposed to public networks. Although FortiSandbox possesses a limited enterprise footprint, typically around 0.06% market share, its deployment is concentrated in high-value sectors, thus amplifying the potential impact of a compromise.

Additionally, CVE-2026-39808 exploits insufficient input validation as stated by security firm SentinelOne. They found that certain inputs could bypass necessary safety measures, thus allowing an attacker to inject arbitrary OS commands, executed with the privileges of the FortiSandbox service. This flaw can be exploited remotely without needing prior authentication or privileges on the target system, raising alarms for security teams worldwide.

Signs of compromise for organizations utilizing FortiSandbox can manifest through unexpected process launches, unusual outbound connections to external IP addresses, and suspicious command executions recorded in system logs. Unauthentic files or scripts surfacing in temporary directories can also indicate an ongoing threat.

As cybersecurity threats continue to evolve, the need for vigilance, rapid response, and effective patching procedures becomes ever more crucial. Organizations are urged to prioritize the patching of these vulnerabilities to safeguard their networks and operations against potential exploitation.

Source link

Latest articles

Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker; Lawyers Claim Misidentification

Armenian authorities have detained a Russian national named Aleksandr Ermakov at the request of...

SANS Highlights AI Governance Gap Amid Rising Security Team Usage

AI Integration in Cybersecurity: Balancing Confidence with Deployment Challenges In recent developments within the cybersecurity...

AI Has Evolved from Assistant to Operator, Warns Check Point Research

AI's Evolving Role in Cyberattacks: Insights from Check Point Research's Annual Security Report Check Point...

Suspected Chinese Spies Discovered Breaching Universities’ Roundcube Mailservers

Security Investigation Uncovers Chinese Espionage Activities Targeting Academic Institutions Recent findings from Proofpoint, a prominent...

More like this

Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker; Lawyers Claim Misidentification

Armenian authorities have detained a Russian national named Aleksandr Ermakov at the request of...

SANS Highlights AI Governance Gap Amid Rising Security Team Usage

AI Integration in Cybersecurity: Balancing Confidence with Deployment Challenges In recent developments within the cybersecurity...

AI Has Evolved from Assistant to Operator, Warns Check Point Research

AI's Evolving Role in Cyberattacks: Insights from Check Point Research's Annual Security Report Check Point...