Fortinet’s PSIRT advisory FG-IR-26-100, published April 14, rated CVE-2026-39808 at CVSS 9.1 and shipped patches the same day. Fortinet hasn’t confirmed exploitation as of this writing, and didn’t respond to a request for comment. At least two firms confirm it.

VulnCheck logged the first exploitation of CVE-2026-39808, an OS command injection flaw in FortiSandbox’s API, on June 9. Defused confirmed it June 11, then caught CVE-2026-39813, a path-traversal authentication bypass in the JRPC API, on June 15. CEO Simo Kohonen counted 49 exploitation events from 11 distinct IPs in six days. A third flaw, CVE-2026-25089, patched only June 9, is also drawing attempts.

This isn’t one coordinated campaign. Defused traced activity to 13 sources across nine countries: China, South Korea, Taiwan, India, Singapore, Germany, the Netherlands, Canada, and Bulgaria. “Multiple independent operators on commodity infrastructure,” Kohonen told CyberScoop. The three exploits don’t need to be chained: they work together, bypassing authentication, escalating privileges, and executing arbitrary commands.

FortiSandbox is the part of the estate you don’t want handed over. It ingests suspicious content and feeds threat verdicts to other Fortinet devices; a foothold there fans out across the whole security stack. Post-exploitation behavior stays in recon and verification mode so far, which typically precedes a heavier attack phase. The architecture matters: compromising the device that other security products depend on for threat verdicts gives an attacker elevated access throughout the environment, not just at the perimeter.

CISA’s known exploited vulnerabilities catalog holds 26 Fortinet entries since 2021. These three aren’t there yet. Worth checking your FortiSandbox version before that changes.

Rebecca Lauren