Exploit-intelligence firm Defused reports that its honeypots are seeing active exploitation attempts against three already-patched Fortinet FortiSandbox vulnerabilities, and the exploit for one of them appears to have been generated by an AI model. The flaws, CVE-2026-39808, CVE-2026-39813, and CVE-2026-25089, chain authentication bypass and command injection into unauthenticated code execution on the appliance that is supposed to detonate and analyze malware. Our read: if you run FortiSandbox and have not applied the April and June updates, treat it as compromised until proven otherwise.
- CVE-2026-39813 allows authentication bypass; CVE-2026-39808 is an OS command-injection flaw enabling arbitrary code execution. Both were rated critical and patched in April.
- CVE-2026-25089 lets a remote, unauthenticated attacker run commands and was fixed in Fortinet's June Patch Tuesday.
- Defused noted the exploit for CVE-2026-25089 looks AI-authored and did not work correctly when first observed, a tell of machine-generated code.
- A malware-analysis appliance is a high-value target: it sees the samples, sits deep in the network, and is trusted.
What is FortiSandbox and why is it a prize?
FortiSandbox is Fortinet's automated malware-analysis appliance. It detonates suspicious files in an isolated environment and reports whether they are malicious, which means it sits at a sensitive junction: it receives untrusted samples by design, it is trusted by the rest of the security stack, and it usually lives deep inside the network. Compromising it gives an attacker a foothold that other defenses assume is safe, plus visibility into exactly which threats the organization is investigating. That combination is why a bug here is worse than the same bug in an ordinary server.
RelatedMicrosoft Rates M365 Copilot and Exchange Bugs Critical
How do the three flaws fit together?
Two of them chain cleanly. CVE-2026-39813 is an authentication bypass, so an attacker gets past the login gate without credentials. CVE-2026-39808 is an OS command-injection flaw, so once inside, the attacker runs arbitrary commands on the appliance. Together they turn a network-reachable box into a remote shell. CVE-2026-25089, patched separately in June, is even more direct: it lets a remote, unauthenticated attacker execute commands on its own. Defenders should assume any one of the three is enough to matter, and that attackers will use whichever the target has left unpatched.
What is the AI-generated exploit angle?
Defused observed that the exploit code for CVE-2026-25089 appeared to be written by an AI model, and tellingly, it did not work correctly when first seen. That detail is the real story. Machine-generated exploits lower the barrier to entry, letting less-skilled attackers turn a patch diff into working code, but they also carry the model's failure modes, subtly broken logic that a human would have caught. The security-industry consequence is a flood of near-miss exploitation attempts that occasionally get fixed up into working ones, compressing the window from disclosure to reliable exploitation. It is the same dynamic that pushed Adobe to move to twice-monthly patching this month.
What should defenders do right now?
Patch first: apply Fortinet's April and June FortiSandbox updates immediately, because all three CVEs are already fixed and the only reason they are being exploited is unpatched appliances. Then reduce exposure: FortiSandbox management interfaces should never be reachable from the internet, so restrict access to a management VLAN or VPN. Finally, assume-breach on anything that was exposed and unpatched: review the appliance for unexpected accounts, scheduled tasks, and outbound connections, and rotate any credentials the box could reach. A malware sandbox that has been running exposed is not a device you simply update and trust again.
RelatedGrok Build CLI Secretly Uploads Your Entire Repo to xAI
Why do security appliances keep getting breached?
Because they are the softest hard targets in the enterprise. Edge and security appliances sit at the network perimeter, run complex firmware that is patched on the vendor's cadence rather than the OS vendor's, and are trusted implicitly by everything behind them. That combination has made products from Fortinet, Citrix, Ivanti, and others a recurring hunting ground, and 2026 has only intensified it: the same AI that helps defenders triage bugs helps attackers turn a patch diff into an exploit within hours. The uncomfortable lesson is that the boxes sold to protect the network are now among its most exploited components, which is exactly why exposure management, not just patch management, has to cover them first.
- CISA KEV. Whether any of the three lands in the Known Exploited Vulnerabilities catalog with a federal deadline.
- Working exploits. Whether the AI-authored proof-of-concept gets refined into reliable, widely shared code.
- Fortinet advisory updates. Confirmation of exploitation and any indicators of compromise for hunting.
Our take
The vulnerabilities are bad, but they are patched, which makes this a management story more than a research one: the exposure is entirely in appliances that were internet-reachable and never updated. The genuinely new element is the AI-generated exploit that arrived broken. Treat that as a preview, not a footnote. The near-term threat is not flawless machine-written attacks; it is volume, a rising tide of half-working exploitation attempts that raise the odds one of them lands before you patch. The defense has not changed, but the clock has. Shrink the internet-facing footprint of security appliances, patch them on the day, and stop treating a malware sandbox as a set-and-forget box, because attackers have stopped treating it that way.
- OfficialFortinet PSIRT advisories FortiSandbox CVE details and fixed versions
- KEVCISA Known Exploited Vulnerabilities federal remediation deadlines
- ContextGenZTech CVE watchlist what is actively exploited right now
Original analysis by GenZTech. Reporting informed by Fortinet PSIRT.
