CISA gives federal agencies a weekend to patch two Fortinet flaws already under attack

Two critical bugs in Fortinet's FortiSandbox let intruders run code without a password. Attackers are already trying them. Federal agencies have until Sunday to install the fix.

ThreatVectr Newsdesk· 3 min read
Full-frame edge-to-edge photoreal news-editorial image of a dark server rack in a data centre with a single amber warning light glowing on one rack unit, cool b
Share

Key points

  • The U.S. Cybersecurity and Infrastructure Security Agency, known as CISA, on Thursday ordered federal agencies to patch two Fortinet FortiSandbox flaws that hackers are actively exploiting.
  • The two bugs, CVE-2026-39808 and CVE-2026-25089, let an outsider run their own code on the device with no login and no user click.
  • Fortinet quietly fixed the flaws on April 14 and June 9 in its own security advisories.
  • Threat intelligence firm Defused reported on June 16 that attackers had started using the bugs in real attacks.
  • Federal agencies must patch by Sunday, July 19 under Binding Operational Directive 26-04.

America's cyber agency has told federal staff to drop what they are doing and patch two Fortinet products this weekend.

The order, issued Thursday by CISA, covers Fortinet FortiSandbox. That is a security appliance companies use to detonate suspicious files in a safe sealed-off environment and see if they misbehave. It is meant to catch malware. Right now it is the thing being attacked.

The two flaws are rated critical. In plain terms, they let a stranger on the internet send a specially crafted request to the device and make it run commands. No password. No trickery of an employee. No clicking a link. Just send the packet and you are in.

In web-security terms, this is command injection, a classic bug where user input gets fed straight into a system command the server then runs. It is one of the oldest tricks in the book. It should not still be showing up in security appliances in 2026. It does.

Who is actually being hit?

Fortinet has not publicly confirmed the bugs are being used in the wild, and did not answer questions from BleepingComputer about attacks. But threat intelligence firm Defused said on June 16 it was watching live exploitation attempts against multiple FortiSandbox flaws, including these two and a third, CVE-2026-39813.

Defused noted one of the exploits looked "vibecoded," its cheeky way of saying someone probably wrote it with an AI assistant and it does not quite work. That is worth pausing on. The barrier to writing a rough working exploit has dropped. The exploits are sloppier, but there are more of them, and they arrive faster.

CISA then added both bugs to its Known Exploited Vulnerabilities catalog, the official list of flaws it has confirmed are being used against real targets. Under Binding Operational Directive 26-04, a rule that forces federal civilian agencies to patch listed bugs on a deadline, they have until Sunday, July 19.

What should ordinary people do?

Nothing directly. FortiSandbox is not a product you have at home. It sits inside corporate and government networks, screening files before they reach staff.

But the wider pattern matters. Fortinet gear has been a favourite target for years. CISA now tracks 28 Fortinet flaws that have been used in real attacks, and 13 of those have shown up in ransomware cases, where criminals lock a company's files and demand payment to unlock them.

Earlier this year Fortinet patched a SQL injection bug, CVE-2026-21643, in its FortiClient Enterprise Management Server. Defused flagged that one as under attack a month after the fix landed. Then came CVE-2025-61624, a path traversal flaw, a bug that lets an attacker climb out of the folder they are supposed to be in and reach files they should not see.

The fix for FortiSandbox is the same as the fix for the others. Upgrade to the patched version. Do it now, not next quarter. If your bank, hospital or local council uses Fortinet gear, and many do, this is the sort of housekeeping that decides whether their next Monday is quiet or catastrophic.

© 2026 Threat Vectr