What Happened
Threat intelligence firm Defused confirmed active exploitation of three critical Fortinet FortiSandbox vulnerabilities within a 24-hour window ending June 16, 2026. The three flaws under active attack are:
CVE-2026-39813 (CVSS 9.8) — a path traversal vulnerability in the FortiSandbox JRPC API. An unauthenticated attacker sends specially crafted HTTP JSONRPC POST requests to bypass authentication and escalate privileges. Affected versions: 5.0.0–5.0.5 and 4.4.0–4.4.8.
CVE-2026-39808 (CVSS 9.1) — an OS command injection flaw in the same JRPC API component, allowing an unauthenticated attacker to execute arbitrary system commands via crafted HTTP requests.
CVE-2026-25089 (CVSS 9.1) — an OS command injection vulnerability in the FortiSandbox Web UI, patched in April 2026 and previously reported as unpatched in the May 13 Daily Brief.
Honeypot monitoring detected exploitation attempts originating from IP address 141.11.43.175 (ASN AS136510) over port 443 using crafted JSONRPC POST requests. Fortinet released patches for all three vulnerabilities in April 2026, but organizations with internet-exposed management interfaces running unpatched versions are at immediate risk.
Source: Help Net Security / BleepingComputer
Why This Matters for Canadian Organizations
Fortinet is among the most widely deployed security vendors in Canadian enterprises, government departments, healthcare organizations, managed service providers, and financial institutions. FortiSandbox in particular is common in environments that require advanced threat detection for email and web content filtering — precisely the environments where a threat actor who achieves compromise gains visibility into the full malware detection pipeline, including evasion research capabilities and queued threat samples from across the organization.
The CCCS has referenced Fortinet exploitation repeatedly in 2026 advisories, and the pattern of attackers exploiting Fortinet management interfaces has been a recurring initial access vector in Canadian incidents. For organizations already running patched FortiSandbox versions, the active exploitation underscores the need to confirm management interfaces are not exposed to the internet, which remains the most common misconfiguration enabling remote unauthenticated attacks. Under OSFI Guideline B-13, regulated financial institutions are required to maintain a current inventory of internet-facing assets and ensure critical patches are applied within defined timeframes — active exploitation of a two-month-old patch makes compliance status an immediate concern.
What to Do
Upgrade FortiSandbox to version 4.4.9 or 5.0.6 immediately if not already done. Confirm the management interface (port 443) is not exposed to the public internet and is accessible only from trusted internal or VPN-gated networks. Block inbound access from 141.11.43.175 and conduct log reviews for JSONRPC POST requests to the JRPC API endpoint showing authentication bypass indicators. If your environment runs FortiSandbox 5.0.0–5.0.5 or 4.4.0–4.4.8 and the management interface has been internet-facing, treat the system as potentially compromised and initiate an incident review before applying the patch. Report confirmed exploitation to the CCCS via cyber.gc.ca.
