Multiple independent threat intelligence firms have confirmed active exploitation of two critical Fortinet FortiSandbox vulnerabilities from distinct infrastructure sets across nearly 200 countries. The attacks indicate the toolchain is already automated and available in underground markets to multiple independent threat actors.
Both flaws were disclosed by Defused Threat Intelligence and Fortinet and have been exploited in the wild to harvest working login credentials for tens of thousands of compromised FortiSandbox appliances.
The geographic spread of attacks spans financial services, healthcare, government, and defense sectors, meaning no industry vertical is immune to the exploitation chain.
CVE-2026-25089 and CVE-2026-39813: How the Exploitation Chain Works
CVE-2026-25089 allows unauthenticated attackers to execute arbitrary remote code on FortiSandbox appliances. Its severity score of 9.8 makes it one of the most critical flaws disclosed in the Fortinet product line, because the attack requires no authentication.
CVE-2026-39813 enables path traversal attacks that read configuration files from the FortiSandbox appliance for credential extraction. Together, the two vulnerabilities create a chain that allows attackers to authenticate to FortiSandbox instances and potentially weaponize the sandboxes for further exploitation.
Distinct Attacker Infrastructure Confirms Widespread Toolchain Availability
The exploitation pattern is notable because the attacks originate from distinct infrastructure sets. Multiple independent actors are independently harvesting FortiSandbox credentials at scale — this is not a coordinated campaign by a single group.
The independent infrastructure sets suggest the exploitation toolchain has been shared across threat actor communities rather than controlled by a single operator. Each actor brings their own targeting focus, infrastructure, and operational tempo, making coordinated defense responses more complex than defending against a single adversary.
Patch Failure and Global Exposure Scope
Fortinet released patches for both vulnerabilities months ago. The continued widespread exploitation confirms a systemic failure to patch: FortiSandbox appliances remain online at scale with known remote code execution and configuration file read vulnerabilities.
The failure is partly explained by the operational role of FortiSandbox itself. The appliances are deployed in production for malware analysis, making them sensitive to uptime requirements that can discourage immediate patching. Organizations may also be unaware of the patches due to the specific nature of FortiSandbox’s role as an analytical tool rather than a perimeter defense system.
The scale of exposure is significant. Tens of thousands of working credentials compiled at the device level mean attackers have footholds across the global FortiSandbox installation base, potentially using the sandboxes’ own privileged access for further operations against the organizations that deployed them.
