🚨 CRITICAL ALERT: Active Zero-Day Exploits
Attackers are actively exploiting three critical vulnerabilities with CVSS scores of 9.8 that enable unauthenticated remote code execution (RCE); these flaws have been added to the CISA Known Exploited Vulnerabilities (KEV) catalog on 2026-07-16, requiring immediate patching to prevent system compromise [1][2][3].
Critical Vulnerabilities (CVSS >= 8.0)
- CVE-2026-39808 (CVSS: 9.8): An OS command injection flaw in Fortinet FortiSandbox 4.4.0 through 4.4.8 allows unauthenticated attackers to execute arbitrary code via the /fortisandbox/job-detail/tracer-behavior endpoint by injecting shell metacharacters into the jid parameter [1][2]. Attackers can chain this with other flaws to achieve root-level RCE without authentication [1][3]. View NVD | CISA KEV
- CVE-2026-25089 (CVSS: 9.8): An OS command injection vulnerability affecting FortiSandbox 4.2 (all versions), 4.4.0 through 4.4.8, 5.0.0 through 5.0.5, and FortiSandbox Cloud/PaaS 5.0.4 through 5.0.5 allows unauthenticated attackers to execute unauthorized commands via specifically crafted HTTP requests [1][2][6]. View NVD | CISA KEV
- CVE-2026-58644 (CVSS: 9.8): A deserialization of untrusted data flaw in Microsoft Office SharePoint enables unauthorized attackers to execute code over the network without authentication [User Query]. View NVD | CISA KEV
âš¡ Immediate Actions Required
1. Patch Immediately: Upgrade FortiSandbox 4.4.x to version 4.4.9 or above to fix CVE-2026-39808 [1][3][10]. Apply Fortinet’s latest patches for CVE-2026-25089 across all affected versions (4.2, 4.4.x, 5.0.x, Cloud, and PaaS) [1][2]. Update Microsoft SharePoint to the latest version containing the fix for CVE-2026-58644 immediately [User Query].
2. Network Isolation & WAF: Do not expose FortiSandbox management interfaces to the internet; if unavoidable, place a WAF in front and subscribe to intelligence blocklists to drop traffic from known attacking IPs [1]. Restrict network access to the FortiSandbox management interface and block external access to /fortisandbox/job-detail/ endpoints via firewall rules if patching is delayed [3].
3. Forensic Monitoring: Scan system logs for the string tracer-behavior combined with shell metacharacters (|, ;, &, $) in the jid parameter to detect active exploitation [3][8]. Isolate affected appliances immediately if signs of „Sandbox-Snake“ activity are detected [8].

