Attackers Exploit Three Critical Fortinet FortiSandbox Vulnerabilities — One Is a 'Vibecoded' AI-Generated Exploit

CVE-2026-39808: OS command injection

• Type: OS Command Injection
• Attack Vector: An unauthenticated attacker can execute unauthorized code or commands by sending crafted HTTP requests .
• Affected Products: FortiSandbox 4.4.0 through 4.4.8, with patches addressed in earlier Fortinet advisories .

CVE-2026-25089: OS command injection in the Web UI

• Type: OS Command Injection (CWE-78)
• Attack Vector: The vulnerability resides in the "start VNC" feature of the Web UI, which passes unsanitized JSON input directly to the operating system. An unauthenticated remote attacker can execute arbitrary commands via specially crafted HTTP requests .
• Affected Versions:
  • FortiSandbox 5.0.0 through 5.0.5
  • FortiSandbox 4.4.0 through 4.4.8
  • FortiSandbox 4.2 (all versions)
  • FortiSandbox Cloud 5.0.4 through 5.0.5
  • FortiSandbox PaaS 5.0.4 through 5.0.5
• Patch: Fortinet released an advisory (FG-IR-26-141) and patches on June 9, 2026. Upgrading to FortiSandbox 5.0.6 or above, FortiSandbox Cloud 5.0.6 or above, and FortiSandbox PaaS 5.0.6 or above resolves the flaw .

A note on CVSS scoring: While a few early sources initially listed CVE-2026-39808 and CVE-2026-39813 with a CVSS score of 9.8 , the authoritative mid-June reporting from NVD, Defused, BleepingComputer, and The Hacker News consistently confirms a 9.1 rating for all three CVEs . Security teams should use the 9.1 score to align with current threat intelligence.

What CVE-2026-25089 Reveals About AI-Generated Exploit Code

Defused reported that the exploit targeting CVE-2026-25089 appears to be "vibecoded" — a term indicating the code is likely AI-generated or hastily assembled, lacking the polish and reliability of a hand-crafted professional exploit .

This observation provides a rare window into how AI is changing the economics of vulnerability exploitation:

• Lower barrier to entry: AI models can rapidly produce functional exploit code for well-defined bug classes like OS command injection, enabling less-skilled actors to attempt attacks on freshly patched vulnerabilities. No confirmed, reliable public exploit exists for CVE-2026-25089, yet exploitation began within days of the patch .
• Faulty and inconsistent execution: The observed attack chain uses standard browser User-Agent spoofing and basic HTTP requests, but the payload is assessed as "potentially faulty with inconsistent code execution results" . This aligns with the broader reality of AI-generated code: it is often syntactically correct but logically fragile, especially for vulnerabilities that require precise protocol-level manipulation.
• Noisier, more detectable attacks: Flawed exploits generate more network noise and error conditions than surgical, human-crafted tools. For defenders, this means these attacks may be easier to detect through behavioral analytics and anomaly detection, even as they remain dangerous enough to succeed against unpatched systems .
• A likely future trend: CVE-2026-25089 serves as an early case study. The availability of large language models has reduced the time between patch release and first exploitation attempts. While today's results are inconsistent, the trajectory points toward more capable AI-assisted exploit development in the near future.

What Security Teams Should Do Now

The three FortiSandbox vulnerabilities are unauthenticated, low-complexity, and require no user interaction — making them ideal candidates for automated scanning and mass exploitation . FortiSandbox is particularly sensitive because other Fortinet products, including firewalls and endpoint detection systems, may rely on its malware verdicts to trigger automated blocking decisions .

• Patch immediately: Upgrade to the fixed versions specified in Fortinet's advisory FG-IR-26-141 for CVE-2026-25089, and verify that patches for CVE-2026-39813 and CVE-2026-39808 (released in April 2026) are applied .
• Isolate the management interface: Restrict access to the FortiSandbox Web UI and JRPC API from untrusted networks. These interfaces should not be exposed to the public internet .
• Hunt for IoCs: Look for HTTP requests targeting the FortiSandbox Web UI with unusually crafted JSON payloads, and monitor for standard browser User-Agent strings in traffic to the appliance .
• Assume downstream impact: If you use FortiGate, FortiAnalyzer, or other Fortinet products integrated with FortiSandbox, verify that they are receiving authentic verdicts and that no unauthorized configuration changes have occurred.

No customer impact or attribution to a specific threat group has been confirmed as of June 16, 2026, but the window between patch release and active, in-the-wild exploitation underscores the urgency for organizations to treat these 9.1-rated flaws as top-priority incidents .