Attackers exploit two FortiSandbox flaws before CISA lists them in KEV

CyberScoop’s report makes this a patch-and-hunt item, with a caveat worth keeping: the exploitation claims come from researchers. Fortinet has not confirmed them. VulnCheck said it first observed exploitation of CVE-2026-39808, an OS command injection vulnerability, on June 9. Defused confirmed activity against that flaw on June 11 and observed CVE-2026-39813, a path traversal vulnerability, on June 15. Fortinet disclosed and patched both in April.

Defused also told CyberScoop that attackers are attempting CVE-2026-25089, which Fortinet disclosed and patched June 9. The firm counted 49 exploitation events from 11 distinct IP addresses over six days and traced malicious activity to 13 sources in nine countries. Researchers have not seen evidence of chaining, but they described working exploits that bypass authentication, escalate privileges and execute arbitrary commands. That is enough for version checks and log review before a government catalog entry appears.

The federal compliance consequence is mechanical. The Cybersecurity and Infrastructure Security Agency had not added the three CVEs to the Known Exploited Vulnerabilities (KEV) catalog as of CyberScoop’s report. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by CISA’s due dates, and CISA says the catalog is based on evidence of active exploitation (https://www.cisa.gov/news-events/alerts/2026/04/06/cisa-adds-one-known-exploited-vulnerability-catalog). Until a KEV entry appears, there is no KEV clock. FortiSandbox’s role makes waiting a bad default: it ingests suspicious content and supports detection workflows across environments that tend to trust it.