Active Exploitation of Multiple Critical FortiSandbox Vulnerabilities
Threat actors are actively exploiting multiple critical vulnerabilities in Fortinet FortiSandbox products, including CVE-2026-39813 (path traversal), CVE-2026-39808 (OS command injection), and CVE-2026-25089 (OS command injection). These flaws could allow unauthenticated attackers to bypass authentication, execute unauthorized code or commands, and escalate privileges. Fortinet released patches for these vulnerabilities in April and June 2026. Exploitation has been observed from multiple sources across various countries.
Signal context
First seen: Jun 9, 2026
Last updated: Jun 19, 2026
Status: Public signal
Key points
- CVE-2026-39813 (CVSS 9.1): Path traversal vulnerability allowing unauthenticated authentication bypass.
- CVE-2026-39808 (CVSS 9.1): OS command injection allowing unauthenticated code execution.
- CVE-2026-25089 (CVSS 9.1): OS command injection.
Signal analysis
BetaIt helps compare this signal with other published signals without treating the labels as final determinations.
Likely country: 🇺🇸 United States
inferred from source domains
Watch internet-facing systems, credential abuse and exploit activity.
- Source type: outside the affected organization
Impact area: Confidentiality
- 1 signal in the same sector
- 22 signals with the same likely impact area
- 3 signals linked to this organization/domain
External sources
https://www.cisa.gov/news-events/alerts/2026/06/18/cisa-urges-hardening-fortinet-devices-after-reports-credential-exposurehttps://www.cisa.gov/news-events/alerts/2026/06/18/cisa-urges-hardening-fortinet-devices-after-reports-credential-exposurePublic source from cisa.gov.
https://arcticwolf.com/resources/security-bulletins/active-fortibleed-campaign-impacting-fortinet-devices-across-194-countries/https://arcticwolf.com/resources/security-bulletins/active-fortibleed-campaign-impacting-fortinet-devices-across-194-countries/Public source from arcticwolf.com.
https://www.hudsonrock.com/blog/fortibleed-75000-fortinet-firewalls-compromised-global-enterprises-exposed-claim-your-ethical-disclosurehttps://www.hudsonrock.com/blog/fortibleed-75000-fortinet-firewalls-compromised-global-enterprises-exposed-claim-your-ethical-disclosurePublic source from hudsonrock.com.
https://www.csoonline.com/article/2142272/fortibleed-campaign-exposes-75000-fortinet-firewalls-worldwide.htmlhttps://www.csoonline.com/article/2142272/fortibleed-campaign-exposes-75000-fortinet-firewalls-worldwide.htmlPublic source from csoonline.com.
https://www.bleepingcomputer.com/news/security/cisa-warns-fortinet-users-to-secure-devices-after-fortibleed-leak/https://www.bleepingcomputer.com/news/security/cisa-warns-fortinet-users-to-secure-devices-after-fortibleed-leak/Public source from bleepingcomputer.com.
https://www.bankinfosecurity.com/crime-gang-sells-access-to-74000-fortinet-firewall-devices-a-25087https://www.bankinfosecurity.com/crime-gang-sells-access-to-74000-fortinet-firewall-devices-a-25087Public source from bankinfosecurity.com.
https://www.thehackernews.com/2026/06/attackers-exploit-three-fortinet.htmlhttps://www.thehackernews.com/2026/06/attackers-exploit-three-fortinet.htmlPublic source from thehackernews.com.
Related signals
Grouped by why the signal is relevant.
FortiCloud SSO Authentication Bypass Vulnerabilities Actively Exploited
Multiple critical authentication bypass vulnerabilities related to FortiCloud Single Sign-On (SSO) have been actively exploited in Fortinet products. CVE-2026-24858, disclosed in January 2026, allowed malicious actors with a FortiCloud account to log in to devices registered to other users if FortiCloud SSO was enabled. This led to unauthorized firewall configuration changes, account creation, and VPN configuration changes. Earlier, CVE-2025-59718 and CVE-2025-59719 (December 2025) allowed unauthenticated attackers to bypass SSO login via crafted SAML messages. Attacks exploiting these flaws have been observed creating rogue accounts and stealing firewall configuration data.
Critical FortiClient EMS Flaws Actively Exploited to Deploy Credential Stealers
Threat actors are actively exploiting critical vulnerabilities in Fortinet FortiClient Endpoint Management Server (EMS), including CVE-2026-35616 and CVE-2026-21643. CVE-2026-35616, a critical security flaw, was actively exploited in the wild to deploy credential-stealing malware (EKZ Infostealer), prompting an emergency patch in April 2026. CVE-2026-21643 is also mentioned in active exploitation campaigns.
Oracle Affected by FortiBleed Campaign
Oracle was identified as one of over 22,000 corporate domains affected by the FortiBleed campaign. A Russian-speaking criminal group compromised Fortinet firewall and VPN devices globally, exfiltrating credentials and potentially gaining full network access.
Paywall Bypass Vulnerability
Tweakers.net has identified a vulnerability that allows for the bypass of its paywall. This issue is listed as a 'Known issue' within their bug bounty program, indicating that the company is aware of the flaw and is seeking ethical hackers to report findings related to it. A successful bypass could allow unauthorized access to premium content.
Horizon Family Medical Group Data Breach
Reports emerged on June 18, 2026, of a possible data breach at Horizon Family Medical Group, a medical provider in New York's Hudson Valley region. Threat actor Incransom claimed to have stolen 7 TB of data, including medical information such as diagnoses, prescriptions, treatments, and lab results.
Council of Europe Hacked by ShinyHunters, 297 GB of Data Stolen
The notorious extortion group ShinyHunters claimed to have hacked the Council of Europe, stealing nearly 300 gigabytes of data, including employee personal information, payroll data, CVs, and medical records. The group threatened to leak the data if negotiations were not initiated.