Attackers target critical FortiSandbox flaws as CISA issues patch order


Fortinet admins have two more reasons to clear their calendars after CISA confirmed a pair of critical FortiSandbox bugs are being actively exploited.

The two bugs, tracked as CVE-2026-39808 and CVE-2026-25089, both carry CVSS scores of 9.1 and affect FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. According to Fortinet, they are OS command injection flaws that allow unauthenticated attackers to execute arbitrary commands via specially crafted HTTP requests, requiring neither valid credentials nor user interaction.

Fortinet released fixes for CVE-2026-39808 in April and CVE-2026-25089 in June, warning in advisories published at the time that successful exploitation could lead to remote code execution via low-complexity attacks.

Read more…
Source:  The Register News


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Three Steps to the Terminal: A Siemens ROX II Zero-Day Trilogy

    July 17, 2026

    Palo Alto Unit 42 conducted this research in close partnership with Siemens, reflecting their shared commitment to advancing the security and resilience of critical infrastructure. This report details a critical, chained exploit comprising three zero-day vulnerabilities (CVE-2025-40948, CVE-2025-40947, and CVE-2025-40949) discovered in Siemens ROX II operational technology (OT) switches. Successful exploitation of this chain would allow ...

  • Shark vacuum flaw exposes cameras, home maps and Wi-Fi passwords

    July 17, 2026

    Shark’s cloud-connected robot vacuums are currently exposed by an unpatched AWS (Amazon Web Services) IoT (Internet of Things) policy flaw that could turn one compromised device into a remote-control skeleton key for many others in the same region, with access to cameras, maps, and Wi‑Fi passwords. A researcher using the handle tokay0 took apart a Shark RV2320EDUS robot vacuum and ...

  • Attackers target critical FortiSandbox flaws as CISA issues patch order

    July 17, 2026

    Fortinet admins have two more reasons to clear their calendars after CISA confirmed a pair of critical FortiSandbox bugs are being actively exploited. The two bugs, tracked as CVE-2026-39808 and CVE-2026-25089, both carry CVSS scores of 9.1 and affect FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. According to Fortinet, they are OS command injection flaws that allow ...

  • GoSerpent: a persistent threat evolves with sophisticated data collection and exfiltration

    July 16, 2026

    In February 2026, Kaspersky discovered a set of malicious activities that had been ongoing since late 2025. These activities involved a RAT module written in Go with proxy capabilities, which served as the main stage of the attack. The attack targeted government and diplomatic entities in Southeast Asia and showed a level of sophistication that ...

  • Tech support scam caused massive data breach at Australian airline Qantas

    July 16, 2026

    Australia’s Privacy Commissioner has revealed a tech support scam was the cause of the massive 2025 data breach at Australian airline Qantas and found the carrier didn’t breach its privacy obligations despite leaking personally identifiable information for 5.7 million customers. The Commissioner reached that conclusion, and a decision not to open a formal privacy probe, in ...

  • This fake Apple app can unlock your Mac’s password vault

    July 15, 2026

    CrashStealer is a new macOS infostealer that masquerades as Apple’s CrashReporter component, uses an Apple‑notarized installer to slip past Gatekeeper, tricks users into handing over their password, and then systematically loots browsers, password managers, crypto wallets, and Keychain secrets before exfiltrating them in AES‑encrypted bundles. Researchers have been following the development of CrashStealer since May 2026. It ...