Three critical Fortinet sandbox bugs splattered by unknown attackers

**TL;DR:** Three critical Fortinet sandbox bugs splattered by unknown attackers

---

Three critical flaws in Fortinet’s sandbox that allow remote attackers to bypass authentication, escalate privileges, and execute malicious code are under active exploitation, according to threat intelligence firm Defused. Fortinet patched two of the three flaws, CVE-2026-39813 and CVE-2026-39808, in April and the third, CVE-2026-25089 last week. 1 CVSS ratings, and, at the time, the vendor said that there were no reports of active exploitation. CVE-2026-39813 is a path traversal bug in the FortiSandbox JRPC API that allows an authentication bypass using specially crafted HTTP requests. 5.

6+, depending on the branch, to fix the flaw. Fortinet security analyst Loic Pantano found this one. CVE-2026-39808 is an OS command injection flaw in FortiSandbox that allows unauthenticated attackers to execute unauthorized code or commands via HTTP requests. 9 or above patches the hole. Fortinet credited KPMG Spain researcher Samuel de Lucas Maroto with finding and reporting this bug. Finally, CVE-2026-2508

Source: The Register

Tech news is rarely just a gadget headline. We frame what changed, who benefits, and what to watch next as details firm up.

Readers should treat early numbers and unnamed claims cautiously. The durable story is usually confirmed in docs, filings, or follow-up reporting.

Follow whether independent researchers or regulators validate the claims — that is often when the real scope becomes clear.

1) Separate the announcement from the shipping date. 2) Compare alternatives if pricing or terms shift. 3) Revisit the story when independent verification lands.

**Q: Is everything in this article confirmed?** A: The summary reflects publicly reported information at publication time. Analysis sections are clearly framed as context, not new reporting.

**Q: Will iByte update this page?** A: Yes. As primary sources publish more detail, this article can be refreshed without changing the URL.

Last updated: June 16, 2026.

Additional context: early-cycle stories often look bigger in headlines than in day-to-day impact. The useful move is to identify the smallest set of facts that would change your decision, then wait for those facts to land.

Additional context: early-cycle stories often look bigger in headlines than in day-to-day impact. The useful move is to identify the smallest set of facts that would change your decision, then wait for those facts to land.