CISA urges immediate patching of Fortinet FortiSandbox
π‘οΈ The US Cybersecurity and Infrastructure Security Agency (CISA) has added two critical FortiSandbox vulnerabilities, CVE-2026-39808 and CVE-2026-25089, to its Known Exploited Vulnerabilities catalog and ordered federal agencies to apply patches by July 19. Both flaws are OS command injection bugs with CVSS scores of 9.1 and have documented in-the-wild exploitation. Fortinet released fixes in FortiSandbox versions 4.4.9 and 5.0.6; CISA advised discontinuing cloud services where mitigations are unavailable.
