Yesterday, CISA announced that it had added two OS command injection vulnerabilities in the FortiGuard FortiSandbox product to the Known Exploited Vulnerabilities (KEV) catalog.
CVE-2026-25089 – This vulnerability was previously reported by FortiGuard in June. FortiGuard has new versions that mitigate the vulnerability.
CVE-2026-39808 – This vulnerability was previously reported by FortiGuard in April. FortiGuard has a new version that mitigates the vulnerability. The vulnerability was originally reported by Samuel de Lucas Maroto from KPMG Spain. Proof-of-concept code was published by Samu DeLucas on April 15th, 2026.
CISA has directed federal agencies using the FortiSandbox product to apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk guidance and CISA’s “Forensics Triage Requirements”. Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines. A compliance deadline of July 19th, 2026 has been established.
