Three critical vulnerabilities in Fortinet FortiSandbox are under active exploitation. Attackers are pulling configuration backups, serial numbers, and version information from unpatched appliances without supplying a single credential. All three CVEs are being exploited simultaneously, and one of them, CVE-2026-39813, had zero recorded exploitation history before this wave began on June 16, 2026.
What is being exploited
CVE-2026-39813 (CVSS 9.1) is a path traversal vulnerability in the FortiSandbox JRPC API. An unauthenticated attacker sends a POST request to the /jsonrpc/ endpoint on port 443, injecting traversal sequences into the session parameter: session: "../../tmp/". The API processes the request without authentication, returning configuration backups, serial numbers, and version details in the response. Fortinet and CVE-2026-39808 were patched in April 2026. CVE-2026-25089 was patched more recently. CVE-2026-39813 had no prior exploitation record before this campaign.
The attack pattern
Threat intelligence firm Defused Cyber published honeypot telemetry showing all three CVEs being triggered over port 443 via crafted POST requests to /jsonrpc/. The attack is simple: no authentication, no chaining of exploits, no privilege escalation needed at the initial stage. The appliance just hands over its internal state to whoever asks in the right format.
This is worth pausing on. FortiSandbox is a security appliance. Organizations deploy it to detonate and analyze suspicious files. Its configuration data and version information are exactly what an attacker needs to identify the next step: which version is running, whether other known vulnerabilities apply, and how the internal network is structured around the sandboxing infrastructure.
Why security appliances keep showing up in this pattern
Security appliances, firewalls, VPN concentrators, and sandboxes are attractive targets for several compounding reasons. They are internet-exposed by design. They run specialized embedded operating systems that lag behind desktop patching cycles. Organizations frequently treat them as set-and-forget infrastructure. And they sit at the perimeter, meaning a foothold in the appliance often means a foothold at the boundary between the internet and the internal network.
Path traversal in API endpoints is not a novel vulnerability class. It has appeared in Fortinet products before, in Cisco products, in Ivanti products. The pattern is consistent: the appliance API trusts user-supplied path parameters and constructs file paths without sanitizing traversal sequences. The fix is also consistent: validate and normalize paths before using them. But the same class of vulnerability keeps appearing in production because security appliance vendors, like everyone else, ship code with bugs and then rely on customers to patch.
What to do
Patch immediately. Any FortiSandbox running firmware predating Fortinet's April 2026 patch cycle is being actively targeted right now. If patching is not immediately possible, restrict network access to the /jsonrpc/ management endpoint at the network layer. Verify that FortiSandbox is not directly internet-exposed unless operationally required. Check logs for POST requests to /jsonrpc/ that you did not initiate.
The broader principle: security tools are not exempt from security hygiene. If anything, they deserve higher patch priority because compromise of a security appliance can undermine every other control in your environment.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want to discuss FortiSandbox exposure or appliance patch strategy for your organization.