defense · BleepingComputer
CISA has ordered U.S. federal agencies to patch two actively exploited vulnerabilities in Fortinet FortiSandbox by July 19, 2026. The flaws (CVE-2026-39808 and CVE-2026-25089) were patched by Fortinet in April and June respectively and allow unauthenticated attackers to execute remote code through low-complexity command injection. Threat intelligence firm Defused reported in-the-wild exploitation as of June 16, and CISA has since added these vulnerabilities to its catalog of known exploited vulnerabilities, triggering the federal patching mandate under Binding Operational Directive 26-04.
Defense contractors and government vendors handling Controlled Unclassified Information should treat this as a compliance priority: NIST 800-171 and CMMC frameworks require timely vulnerability remediation, and federal agencies' patching deadline creates downstream pressure on their suppliers. Organizations relying on Fortinet FortiSandbox for security operations should immediately verify their deployment versions and prioritize upgrades to eliminate command injection attack surfaces. An Omniware engagement can scope your current Fortinet posture and map remediation timelines to your contractual compliance obligations.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/cisa-warns-feds-to-patch-exploited-fortinet-fortisandbox-flaws-by-sunday/
Source: BleepingComputer
All briefings