National CERT warns of active attacks exploiting critical FortiSandbox flaws
Unauthenticated vulnerabilities carry a severity score of up to 9.8 and could allow remote command execution, authentication bypass and full system compromise

National CERT Pakistan has warned government departments, critical infrastructure operators, financial institutions and businesses to immediately secure Fortinet FortiSandbox systems after confirming active exploitation attempts against three critical vulnerabilities.
The advisory covers CVE-2026-39808, CVE-2026-39813 and CVE-2026-25089 affecting FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS environments.
According to National CERT, the flaws can be exploited remotely without authentication or user interaction through internet-facing FortiSandbox web interfaces and JRPC application programming interfaces.
The most severe vulnerability carries a CVSS score of up to 9.8. Successful exploitation could allow attackers to execute operating system commands, bypass authentication controls and take full control of affected sandbox infrastructure.
National CERT said compromised systems could be used to deploy malware, steal credentials, expose sensitive data, move laterally across enterprise networks and disable or manipulate security inspection processes.
The agency said security researchers had observed scanning and exploitation attempts targeting internet-exposed FortiSandbox installations. Organisations that have not installed Fortinet’s latest security updates remain at high risk.
Potential signs of compromise include repeated unauthorised access attempts, unexpected administrative sessions, unauthenticated JRPC requests, unusual inbound traffic to management interfaces and abnormal command execution from external internet protocol addresses.
National CERT advised organisations to immediately apply Fortinet security patches and remove administrative interfaces from direct public internet access.
It also recommended restricting web, API and JRPC access to approved internal systems, virtual private network gateways or dedicated management networks.
Organisations were directed to enable multi-factor authentication for administrative accounts, review authentication and process execution logs, terminate suspicious sessions and disable unused interfaces and external access paths.
Potentially compromised appliances should be isolated immediately, while administrative credentials should be changed after patching or any sign of suspicious activity.
The advisory also called for continuous monitoring of authentication anomalies, abnormal API activity, unexpected processes launched by web services and possible movement from compromised sandbox systems into other parts of organisational networks.
National CERT said all internet-facing FortiSandbox systems should undergo compromise assessments, with logs preserved for forensic investigation and system configurations checked against approved baselines.
Suspected compromises, exploitation attempts or anomalous activity should be reported immediately to National CERT Pakistan.
The agency said affected organisations should treat the situation as an active exploitation scenario and prioritise patch deployment, reduction of internet exposure and threat hunting.
Comments
No comments yet. Be the first to join the discussion!







