National CERT Pakistan Warns Organizations to Patch Critical FortiSandbox Vulnerabilities Under Active Exploitation

National CERT Pakistan Warns Organizations to Patch Critical FortiSandbox Vulnerabilities Under Active Exploitation

National CERT Pakistan has issued an advisory urging government departments, critical infrastructure operators, financial institutions, and private sector organizations to immediately secure their Fortinet FortiSandbox deployments following reports of active exploitation attempts targeting three critical vulnerabilities. The advisory addresses CVE 2026 39808, CVE 2026 39813, and CVE 2026 25089, which affect FortiSandbox, FortiSandbox Cloud, and FortiSandbox Platform as a Service environments. According to National CERT, the vulnerabilities can be exploited remotely through internet facing FortiSandbox web interfaces and Java Remote Procedure Call application programming interfaces without requiring authentication or any user interaction. The agency warned that organizations operating exposed systems without the latest security updates face a significantly increased risk of compromise and should treat the situation as an active exploitation scenario requiring immediate action.

National CERT stated that the most severe of the identified vulnerabilities carries a Common Vulnerability Scoring System score of up to 9.8, highlighting the serious security impact associated with successful exploitation. Attackers could use these flaws to execute operating system commands remotely, bypass authentication mechanisms, and obtain full control over affected FortiSandbox infrastructure. Once compromised, these systems could be leveraged to deploy malware, steal credentials, expose sensitive organizational information, move laterally across enterprise environments, and interfere with security inspection processes that organizations rely on to detect malicious activity. The advisory noted that security researchers have already observed scanning and exploitation attempts targeting internet accessible FortiSandbox installations, reinforcing the need for organizations to promptly install Fortinet’s latest security patches. National CERT also listed several indicators that may suggest compromise, including repeated unauthorized access attempts, unexpected administrative sessions, unauthenticated Java Remote Procedure Call requests, unusual inbound traffic directed at management interfaces, and abnormal command execution originating from external internet protocol addresses.

To reduce exposure, National CERT advised organizations to immediately apply all available Fortinet security updates and remove administrative interfaces from direct internet access wherever possible. The agency recommended restricting access to web interfaces, application programming interfaces, and Java Remote Procedure Call services so they are only accessible through trusted internal systems, virtual private network gateways, or dedicated management networks. Organizations were also encouraged to enable multi factor authentication for administrative accounts, carefully review authentication and process execution logs, terminate suspicious administrative sessions, and disable unused interfaces or unnecessary external access paths. If there are any indications that a FortiSandbox appliance may have been compromised, National CERT recommended isolating the affected system from the network without delay and changing all administrative credentials after security updates have been applied or suspicious activity has been identified.

The advisory further emphasized the importance of continuous monitoring for authentication anomalies, unusual application programming interface activity, unexpected processes initiated by web services, and any signs of attackers attempting to move from compromised FortiSandbox systems into other parts of enterprise networks. National CERT instructed organizations operating internet facing FortiSandbox deployments to conduct compromise assessments, preserve relevant system and authentication logs for forensic analysis, and verify that system configurations remain consistent with approved security baselines. The agency also requested that any suspected exploitation attempts, confirmed compromises, or unusual activity related to the affected vulnerabilities be reported immediately to National CERT Pakistan to support incident response and broader threat monitoring efforts. By prioritizing timely patch deployment, reducing internet exposure, strengthening administrative access controls, and actively hunting for indicators of compromise, organizations can significantly reduce the risk posed by the ongoing exploitation attempts targeting vulnerable FortiSandbox environments.

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.

Post Comment