Both bugs are unauthenticated, carry CVSS 9.1, and let attackers run code on the sandbox appliance. Federal agencies must patch or pull the gear; private operators should treat the move as a confirmed urgency signal for the FortiSandbox surface.
CISA added two critical FortiSandbox vulnerabilities to its Known Exploited Vulnerabilities catalog on July 16, converting vendor patches Fortinet shipped in April and June into a binding remediation clock for U.S. federal civilian agencies.
FortiSandbox is Fortinet's appliance for detonating and analyzing suspicious files; the same code base ships as FortiSandbox Cloud and FortiSandbox PaaS, so an unauthenticated OS command-injection bug in the device is reachable from any network segment that can reach its management interface. Both CVEs, CVE-2026-39808 and CVE-2026-25089, carry CVSS 9.1, require no credentials, and can be triggered by crafted HTTP requests, the kind of reach that turns a sandbox into a foothold.
The binding part is CISA's Binding Operational Directive 26-04. A KEV addition under BOD 26-04 forces federal civilian executive branch agencies to remediate within the deadline CISA sets or remove the affected product from service if it cannot be adequately secured. The directive does not bind private-sector operators directly, but it sets the de facto urgency signal: when CISA moves a vendor sandbox onto KEV, the next thing to check is the patch level on every FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS instance on the network.
The "in the wild" signal CISA acted on is firm but thin. Security firm Defused told The Register it observed exploitation attempts against both flaws this week, alongside a third FortiSandbox flaw, CVE-2026-39813, that sits outside the KEV addition. Defused characterized the observed exploit for CVE-2026-25089 as "vibecoded" and likely broken, and has not yet seen a working public exploit. Fortinet has not publicly confirmed exploitation in the wild and had not updated its FG-IR-26-100 and FG-IR-26-141 advisories to mark either CVE as exploited at time of reporting. CISA rarely attributes KEV attacks or discloses scale, so the catalog addition rests on the federal evidentiary threshold, not on a public incident write-up.
The triage order for IT and security operators is concrete. Inventory every FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS instance. Confirm the April 2026 fix for CVE-2026-39808 and the June 2026 fix for CVE-2026-25089 are applied on the relevant versions, because BOD 26-04 is the clock even if the public exploit code is not yet functional. Watch the Fortinet PSIRT advisories for an "exploited in the wild" update; the firm-but-thin signal can firm up quickly, and the KEV listing will not be the last word on these CVEs.
The CISA alert covering the KEV addition also lists CVE-2026-58644, a sign federal tracking is consolidating around the FortiSandbox surface rather than the two command-injection bugs alone. Operators with FortiSandbox in the environment should treat the alert, the KEV listing, and the federal deadline as a single operational package rather than three separate events.