Threat actors are actively exploiting multiple critical vulnerabilities affecting Fortinet FortiSandbox products, according to threat intelligence firm Defused Cyber. The company reported observing exploitation attempts targeting CVE 2026 39813, CVE 2026 39808, and CVE 2026 25089 within a 24 hour period, highlighting ongoing interest among attackers in compromising Fortinet security appliances. CVE 2026 39813 is a path traversal vulnerability within the FortiSandbox JRPC API that carries a CVSS score of 9.1 and could allow an unauthenticated attacker to bypass authentication using specially crafted HTTP requests. Another flaw, CVE 2026 39808, also rated 9.1, is an operating system command injection vulnerability that could enable unauthenticated attackers to execute unauthorized code or commands through crafted HTTP requests. Both vulnerabilities were addressed by Fortinet in April 2026. The third issue, CVE 2026 25089, was patched only last week and affects FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS web interfaces. Fortinet described it as an operating system command injection flaw that could permit remote attackers to execute unauthorized commands without authentication by sending specially crafted HTTP requests.
Defused Cyber also noted unusual characteristics associated with exploit development for CVE 2026 25089. Researchers observed indications suggesting that the exploit code may have been developed with the assistance of an artificial intelligence model. Despite this observation, the company stated that the available exploit appears to be faulty and that a fully functional public exploit has not yet been disclosed. The activity adds to a growing pattern of attacks targeting Fortinet products, which have remained a frequent focus for cybercriminal groups in recent years. Earlier in April 2026, Fortinet released emergency patches for another critical vulnerability affecting FortiClient EMS, tracked as CVE 2026 35616, after confirming active exploitation in real world attacks. Security experts have repeatedly warned that internet facing security appliances often become attractive targets because successful compromise can provide direct access to enterprise networks, sensitive information, and administrative systems.
The latest vulnerability activity coincides with revelations from cybersecurity company SOCRadar regarding a large scale campaign dubbed FortiBleed. According to the company, suspected Russian speaking threat actors have compromised more than 30,000 Fortinet firewalls across 194 countries. Researchers uncovered the operation after identifying an active server associated with the campaign. Analysis of the infrastructure revealed a database containing login credentials for approximately 30,791 devices belonging to businesses and government organizations worldwide. SOCRadar emphasized that these were not randomly generated credentials but verified usernames and passwords that attackers had tested and confirmed using automated systems operating continuously. Affected organizations span multiple sectors, including banking, telecommunications, healthcare, education, government, energy, and multinational enterprises. The countries most impacted include India, the United States, Mexico, Colombia, Thailand, Taiwan, Indonesia, Malaysia, Singapore, and France. Researchers noted that India accounts for approximately 60 percent of all internet exposed Fortinet deployments within the government sector.
According to SOCRadar, the attackers rely on a two stage methodology. They first attempt previously leaked Fortinet passwords against internet facing devices, taking advantage of organizations that failed to change credentials following earlier breaches. Once access is obtained, compromised devices are used to monitor network traffic and capture additional credentials moving through the environment. Those newly acquired credentials are then leveraged to expand access to other systems, creating a cycle of ongoing compromise. Additional analysis released by Hudson Rock on June 17, 2026, estimated that the FortiBleed operation targeted 73,932 unique firewall URLs across 194 countries and impacted 21,632 unique domains. Security researcher Volodymyr “Bob” Diachenko stated that the operation processed approximately 1.16 billion credential attempts against more than 320,000 FortiGate targets and another 2.1 billion attempts against over 163,000 Microsoft SQL servers. Researchers believe the group also intercepts SSL VPN authentication traffic, cracks password hashes using a 45 GPU cluster managed through Hashtopolis, and later moves into Active Directory environments to establish persistence. Hudson Rock further warned that even highly complex passwords offer little protection if attackers obtain them in plaintext. Independent analysis by cybersecurity researcher Kevin Beaumont found the exposed credentials to be legitimate and indicated that many affected devices had management interfaces accessible from the internet. Fortinet responded by stating that the credentials appear to originate from older incidents and brute force attacks rather than any newly discovered vulnerability. The company added that organizations following recommended security practices, including regular credential rotation and multi factor authentication, face significantly lower risk from the activity currently being reported.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
