Three critical vulnerabilities in Fortinet’s FortiSandbox are being actively exploited right now — including one that was only patched three weeks ago. All three require zero authentication. All three can give an attacker full command execution on the affected system. And one of the circulating exploits was apparently written by an AI tool: threat intelligence firm Defused Cyber describes it as “vibecoded” — AI-generated, likely faulty logic. That is not reassuring. It means a working version could arrive any day.
FortiSandbox Is Not Just Another Product #
FortiSandbox is the verdict engine at the center of Fortinet’s Security Fabric. FortiGate firewalls, FortiMail, and FortiClient endpoint agents all query it to determine whether a file or URL is malicious. Compromise it, and you have not just broken one appliance — you have compromised the conviction layer that every other Fortinet product depends on for its blocking decisions. Manipulate the verdicts, and malware walks straight through.
The Three Vulnerabilities #
All three bugs require no authentication and carry CVSS scores of 9.1:
CVE-2026-39813— Path traversal in the JRPC API. Lets an unauthenticated attacker bypass authentication entirely via crafted HTTP requests. Patched April 2026.CVE-2026-39808— OS command injection in the same API. Unauthenticated remote code execution via crafted HTTP requests. Patched April 2026.CVE-2026-25089— OS command injection in the web UI. Affects FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. Unauthenticated command execution via crafted HTTP requests. Patched June 9, 2026. Exploitation attempts began within days of disclosure.
CVE-2026-39813 and CVE-2026-39808 are natural attack partners: the first bypasses authentication, the second executes commands. Chain them together and you have unauthenticated RCE with no prerequisites other than network access to the API.
The AI-Generated Exploit Problem #
Here is the part that deserves more attention than it is getting. Defused Cyber flagged the exploit circulating for CVE-2026-25089 as “vibecoded” — assembled using an AI model, with faulty logic. No confirmed working public exploit for CVE-2026-25089 exists yet. But attackers are already probing production systems with broken AI-generated code, banking on volume to compensate for quality.
This is the new reality. LLMs can ingest a CVE description and a security advisory and generate plausible exploit code in minutes. Most of it will not work. Some of it will. And unlike a human researcher who needs weeks to develop a reliable exploit, an AI can iterate on a broken attempt continuously. The gap between CVE disclosure and weaponized exploit — already collapsing — just got narrower. The two patches from April confirm this: two months from fix to active exploitation is now considered a slow attack cycle.
Two Months Is Too Long #
CVE-2026-39813 and CVE-2026-39808 were patched in April. Exploitation began in June. That means organizations had two full months to deploy patches that were available, and a significant number did not. This is not a FortiSandbox problem — it is a patch discipline problem. The attackers are patient. They scan, find unpatched instances, and move. Security teams that treat April patches as optional homework are handing them an open door.
CVE-2026-25089 offers no grace period at all. It was disclosed and patched on June 9. Exploit attempts — even faulty, AI-generated ones — are already hitting production endpoints. The window between “patch available” and “actively probed” is now measured in days, not months.
What to Do Right Now #
If you are running FortiSandbox, this is the action list:
- Upgrade to FortiSandbox 5.0.6 or4.4.9— these fix CVE-2026-25089. Confirm April patches are also applied for CVE-2026-39813 and CVE-2026-39808. - If patching is not immediate: restrict web UI and JRPC API access to trusted IP ranges now. Do not leave these endpoints exposed to the internet.
- Review logs for anomalous HTTP requests targeting the FortiSandbox web interface. Even failed vibecoded attempts leave traces.
- Check Fortinet’s PSIRT portalfor the latest advisory details and additional mitigations.
The Bigger Pattern #
FortiSandbox is the third major Fortinet exposure this month — FortiBleed compromised 73,000 firewalls just over a week ago. But the more important pattern is broader: security tools are increasingly the primary attack surface. Microsoft Defender became an escalation vector via RoguePlanet. Amazon Q’s AI coding assistant was silently stealing AWS credentials. Now FortiSandbox — the tool whose entire job is to catch malware — is running unpatched command injection flaws under active exploitation.
Security tooling is not automatically safer than the applications it protects. Patch it with the same urgency. Then check whether your organization’s patch SLAs are still calibrated for a world where AI-generated exploits can appear within 48 hours of CVE disclosure. If they are not, update them before the next wave arrives — and there will be a next wave.
Full CVE details and patch guidance are available at the Fortinet PSIRT portal. Additional reporting from The Hacker News and Bleeping Computer.