Three FortiSandbox CVEs just chained into unauthenticated root. Seven financial institutions are already compromised.

Your sandbox just became the attacker's foothold.

Three Fortinet FortiSandbox vulnerabilities — CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 — are being chained together in active exploitation.

The attack sequence is brutal in its simplicity:

Path traversal reads your config database.
Stolen credentials authenticate to the web UI.
RCE payload executes. Privilege escalation lands at root.

Seven deployments across North American and European financial services and critical infrastructure are confirmed compromised as of June 16.

Here is why this matters: FortiSandbox is the appliance your other security tools trust. Firewalls, endpoint agents, email security — they all treat FortiSandbox verdicts as authoritative.

An attacker with root access to your sandbox can manipulate analysis output. Malicious files get clean verdicts. Your entire detection stack becomes blind.

This is not a theoretical risk. Threat intelligence firm Defused confirmed active exploitation. CISA KEV addition is expected imminently.

Audit your FortiSandbox deployments today. Patch to version 5.4.3 immediately. If your management interface is internet-facing, assume compromise.