CISA Flags Three Actively Exploited Bugs in Fortinet and SharePoint
Two Fortinet FortiSandbox flaws and a Microsoft SharePoint deserialization bug are being used in real attacks, the US cyber agency warns.

Key points
- CISA added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog, covering products from Fortinet and Microsoft.
- Two of the flaws, CVE-2026-25089 and CVE-2026-39808, sit in Fortinet FortiSandbox, a security appliance used to inspect suspicious files.
- The third, CVE-2026-58644, is a deserialization bug in Microsoft SharePoint, the widely used document and collaboration platform.
- Federal civilian agencies must patch quickly under Binding Operational Directive 26-04, which prioritises fixes for bugs on public-facing systems.
- CISA is urging all organisations, not just federal ones, to treat KEV Catalog bugs as top priority.
The US Cybersecurity and Infrastructure Security Agency has added three new security flaws to its running list of bugs that criminals are actively abusing.
The agency, known as CISA, publishes what it calls the Known Exploited Vulnerabilities Catalog. Think of it as a most-wanted list for software flaws. If a bug is on it, attackers are already using it in the wild.
According to the CISA advisory, two of the new entries affect Fortinet FortiSandbox. That is a network security appliance companies buy to detonate suspicious files in a safe environment and see if they behave like malware. The flaws, tracked as CVE-2026-25089 and CVE-2026-39808, are both operating system command injection bugs. In plain English: an attacker can trick the device into running commands it should never run, giving them a foothold inside the network.
The third flaw is in Microsoft SharePoint, the document sharing and intranet platform many offices run daily. It is tracked as CVE-2026-58644 and is a deserialization of untrusted data bug. That means SharePoint can be fed a specially crafted piece of data that it unpacks incorrectly, letting the attacker run their own code on the server.
What does this mean for the average person?
Directly, not much. These are enterprise products that sit inside company and government networks. You do not run FortiSandbox at home, and most people only touch SharePoint through a work login.
Indirectly, it matters more. SharePoint servers often hold sensitive internal documents. Fortinet security appliances sit at the edge of corporate networks and see a lot of traffic. When attackers get into either, the fallout usually shows up later as data leaks, ransomware incidents, or breach notification letters to customers.
Who has to act, and when?
US federal civilian agencies are on the clock. A rule called Binding Operational Directive 26-04 tells them to prioritise patching bugs that appear on the KEV Catalog, especially on systems that face the public internet and would hand an attacker full control if broken into.
The directive also tells agencies to check whether attackers already got in before the patch was applied. Patching a machine that is already breached just locks the criminal inside with you.
CISA said the rule technically only binds federal civilian agencies, but it is urging every organisation to follow the same approach. Private companies, hospitals, universities and local governments are not required to act, but they are on the same internet as everyone else.
What should IT teams do now?
Check Fortinet's advisories and Microsoft's security update guide for the affected products, apply the patches, and review logs for signs of prior intrusion. For SharePoint in particular, deserialization bugs are a favourite of ransomware crews looking for a quick way into corporate file stores.
CISA did not name the specific groups exploiting the three bugs, and did not disclose victim counts. That is normal at this stage. The catalog listing itself is the signal: someone, somewhere, is already using these flaws to break into real systems.
Expect more detail to surface in the coming weeks as incident responders publish what they are seeing.



