Fortinet FortiSandbox flaws exploited, CISA warns of cPanel plugin bug

Multiple critical vulnerabilities in Fortinet FortiSandbox are now under active exploitation, according to threat intelligence firm Defused Cyber. The company reported observing attacks targeting three flaws—CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089—over the past 24 hours.

CVE-2026-39813 carries a CVSS score of 9.1, reflecting its severity as a path traversal vulnerability in the FortiSandbox JRPC API. The other two flaws, though not explicitly scored in available reports, are similarly critical and are being chained by attackers to compromise the cyber threat detection platform.

Defused Cyber disclosed the ongoing exploitation via a post on X, noting that one of the three vulnerabilities was patched only last week. The attack vector involves sending specially crafted requests to the API, enabling unauthorized access or code execution on unpatched systems.

Fortinet has released patches for some of these vulnerabilities, but the rapid exploitation timeline underscores the urgency for administrators to apply updates immediately. No official workarounds have been published, making patching the primary defense.

Meanwhile, CISA has separately warned U.S. federal agencies to secure servers against an actively exploited vulnerability (CVE-2026-54420) in the LiteSpeed cPanel user-end plugin, giving them three days to remediate. While the two incidents are unrelated, they highlight a broader pattern of attackers targeting widely deployed server software.

It remains unclear whether the FortiSandbox exploits are linked to a specific threat actor or part of a wider campaign. Organizations using the platform should prioritize patching and monitor for indicators of compromise.