FortiBleed and Three FortiSandbox CVEs: The Fortinet Bill Comes Due

The question every Head of Platform running Fortinet at the perimeter should be putting to their CFO and GC this week is not whether to patch, it is whether the next three-year renewal still pencils out. Three FortiSandbox CVEs are being actively exploited in the wild, and a parallel campaign called FortiBleed has burned through more than 30,000 firewalls across 194 countries. The unit economics of a single-vendor perimeter just shifted, and most security budgets haven't caught up.

This is no longer a vulnerability story. It is a vendor concentration story dressed up as one.

What Happened

On June 16, 2026, threat intelligence firm Defused Cyber posted on X that it had observed in-the-wild exploitation of three FortiSandbox vulnerabilities over the preceding 24 hours. As The Hacker News reported, the three CVEs all carry CVSS 9.1 scores: CVE-2026-39813, a path traversal in the FortiSandbox JRPC API that lets an unauthenticated attacker bypass authentication via crafted HTTP requests; CVE-2026-39808, an unauthenticated OS command injection over HTTP; and CVE-2026-25089, a third OS command injection affecting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI.

Fortinet patched the first two in April 2026. The third was only fixed the week before publication. Defused Cyber assessed that the exploit for CVE-2026-25089 shows signs of being developed using an AI model, and that the exploit is faulty. No working public exploit has been disclosed.

Sitting underneath this disclosure is a much larger story. SOCRadar reported that suspected Russian-speaking threat actors have compromised more than 30,000 Fortinet firewalls across 194 countries, after identifying an operational server tied to the activity. The attacker's database, per SOCRadar, "contains login credentials for more than 30,791 devices belonging to companies and government organizations across 194 countries." These were not guesses. They were verified, working credentials, tested by automated tools running around the clock.

Hudson Rock followed up on June 17 with sharper numbers: the campaign, dubbed FortiBleed, hit 73,932 unique firewall URLs and 21,632 unique affected domains. Volodymyr "Bob" Diachenko, who first flagged the activity on LinkedIn, put the operation at 1.16 billion credential attempts against 320,777 FortiGate targets and 2.1 billion attempts against 163,650 MS-SQL servers. The compromised devices include banks, telecom operators, hospitals, universities, government agencies, and energy companies. India alone accounts for 60% of internet-exposed Fortinet deployments in the government sector.

Technical Anatomy

The three FortiSandbox CVEs share a common shape. All are unauthenticated, all are reachable over HTTP, and all sit on a device that is, by design, deeply trusted inside the inspection pipeline. A sandbox appliance receives suspicious files and URLs from across the environment, which means it tends to be wired into mail flow, web proxies, EDR, and SIEM. Compromise the sandbox and you are not at the edge of the network, you are at the center of its detection logic.

CVE-2026-39813 is a path traversal in the JRPC API, which means authentication can be sidestepped before any business logic runs. Pair that with the two OS command injection bugs (CVE-2026-39808 and CVE-2026-25089) and the kill chain collapses into a single HTTP request: bypass auth, inject command, execute as the appliance. There is no lateral movement step required to reach impact. You can read the relevant entries in the MITRE CVE database to verify the pattern, but the operational reality is straightforward: these are the kind of bugs that get added to the CISA KEV catalog within days, not weeks.

FortiBleed is a different beast. It is not a single zero-day, it is a credential-harvesting machine. SOCRadar describes a two-step approach: first, try previously leaked Fortinet passwords against internet-exposed devices, because many organizations never rotated credentials after earlier breaches. Second, once inside a device, passively monitor network traffic to harvest additional credentials as they pass through. The compromised firewalls become listening posts, feeding new credentials back into the rotation. Hudson Rock notes that the attackers crack hashes on a 45-GPU cluster managed via Hashtopolis and pivot from intercepted SSL-VPN authentication into internal Active Directory environments.

The unsettling detail, in Hudson Rock's words: "A particularly alarming detail from this dataset is the high volume of extremely complex passwords that were successfully compromised." Their conclusion is blunt. "Complexity is completely neutralized when passwords are recovered in plaintext." If your password policy was your last line of defense at the VPN, that line has been erased.

Who Gets Burned

Three groups should be having uncomfortable internal conversations this quarter.

The first is any regulated operator whose Fortinet footprint sits inside a licensed perimeter. Licensed iGaming platforms, payment institutions, and crypto exchanges all tend to standardize on a single firewall vendor because audit evidence is easier to produce. That standardization is now a liability. A compromised SSL-VPN appliance feeding credentials into Active Directory is exactly the breach pattern that triggers GDPR Article 33 notifications, FCA SUP 15 reports, and gaming regulator incident filings. The General Counsel question is not "are we patched," it is "what is our disclosure exposure if our credentials are sitting in a Russian-speaking operator's database right now."

The second group is fintechs and crypto firms with India, U.S., or Singapore concentration. Those three countries sit inside the top ten affected, and India in particular is structurally exposed because of its government-sector deployment density. For a series-B fintech with a Bengaluru engineering hub behind a Fortinet VPN, the realistic question is whether the corporate identity perimeter is already breached, not whether it might be.

The third group is the smaller managed security providers who resell Fortinet as their default stack. Their margin model depends on volume vendor discounts and shared playbooks. When the underlying appliance is implicated in a credential harvesting campaign of this scale, customer churn pressure lands on the MSSP, not on Fortinet. Expect renewal conversations to get tense, and expect at least one mid-market MSSP to use this as the moment to diversify their stack toward Palo Alto, Cisco, or a cloud-native ZTNA play. The hiring market follows: experienced Fortinet engineers who can also speak fluent Zscaler or Cloudflare Access just became materially more valuable.

The CFO at any of these companies should be asking the VP of Engineering this week: what is the realistic switching cost, in dollars and engineer-months, of reducing Fortinet to one zone instead of the whole perimeter? That number was theoretical six months ago. It is now an input to the next budget cycle.

Playbook for Security Teams

Patch the three FortiSandbox CVEs immediately if you have not already. CVE-2026-39813 and CVE-2026-39808 have been available since April 2026, so any unpatched instance is now sixty-plus days exposed against active exploitation. CVE-2026-25089 was patched the week of June 9. Treat all three as KEV-equivalent regardless of whether they appear in the CISA catalog yet.

Beyond patching, three actions matter this week. First, rotate every credential that has ever traversed a FortiGate SSL-VPN. Not just admin credentials, every credential. The FortiBleed model assumes the device became a listening post the moment it was breached, so historical traffic is suspect. Second, hunt for the post-exploitation pattern Hudson Rock described: SSL-VPN authentication interception followed by Active Directory enumeration. Look for anomalous Kerberos and LDAP queries originating from VPN concentrator IP ranges. Third, audit your password complexity policy honestly. If your control story depended on entropy, that story is over. Phishing-resistant MFA at the VPN edge is no longer optional.

One operational note on the AI-generated exploit detail. Defused Cyber's observation that the CVE-2026-25089 exploit was AI-assisted and faulty is a preview, not an anomaly. The next twelve months will see a steady stream of half-working AI-generated exploits hitting production targets within days of patch release. Detection engineering should assume shorter patch-to-exploit windows as the default, not the exception.

Key Takeaways

• Three FortiSandbox CVEs (CVE-2026-39813, CVE-2026-39808, CVE-2026-25089), all CVSS 9.1, are under active exploitation per Defused Cyber, with two patched in April 2026 and one only patched the week of June 9.
• FortiBleed compromised more than 30,000 Fortinet firewalls across 194 countries, per SOCRadar, with Hudson Rock counting 73,932 unique firewall URLs and 21,632 affected domains.
• The campaign processed 1.16 billion credential attempts against 320,777 FortiGate targets, cracking hashes on a 45-GPU Hashtopolis cluster and pivoting into Active Directory via SSL-VPN interception.
• Password complexity is not a defense when credentials are recovered in plaintext from compromised appliances; phishing-resistant MFA at the VPN edge is now the floor, not the ceiling.
• Teams evaluating their 2027 perimeter stack should now be asking: what does the renewal cost look like if Fortinet is one zone among three, instead of the default everywhere?