Update priority: CISA added Fortinet FortiSandbox CVE-2026-25089 and CVE-2026-39808 to the Known Exploited Vulnerabilities Catalog on July 16, 2026. These are connected critical FortiSandbox maintenance items. Confirm the deployed branch, protect the configuration and recovery path, install the vendor-supported remediation, and verify normal sandbox operations afterward.
What CISA added
CISA identifies both CVEs as unauthenticated command-execution risks affecting FortiSandbox. CISA assigns July 19, 2026 as the remediation due date for federal civilian executive branch agencies. The date is not a private-sector legal deadline, but it is a strong reason for FortiSandbox owners, managed security providers, and hosting teams to treat this as an urgent security maintenance window.
Confirm your FortiSandbox branch
- Identify every FortiSandbox appliance, cloud service, or managed deployment and assign a named service owner.
- Record the installed version, support status, access model, business dependencies, maintenance approver, recovery owner, and validation owner.
- Check both Fortinet advisories before scheduling the change. The advisories are separate, so confirm that the final target version addresses each advisory that applies to the deployment.
Use the vendor-supported upgrade path
Fortinet’s advisory for CVE-2026-39808 lists FortiSandbox 4.4.0 through 4.4.8 as affected and directs owners to upgrade to 4.4.9 or later. Fortinet’s advisory for CVE-2026-25089 lists fixed releases for affected FortiSandbox 4.4 and 5.0 deployments, including 4.4.9 or later and 5.0.6 or later where applicable. Cloud and PaaS owners should confirm their service channel and current vendor guidance with Fortinet before closing the change.
Patch safely and verify normal service
- Confirm a recent, protected configuration backup and that the recovery owner can use it if the maintenance needs to be rolled back.
- Schedule an approved maintenance window and notify the teams that rely on malware analysis, submission, reporting, alerting, or downstream security workflows.
- Apply the current Fortinet-supported remediation for the exact deployed branch. Do not leave a system on an older branch simply to avoid a compatibility check.
- After the update, confirm authorized administrative access, expected analysis and reporting workflows, monitoring, backup activity, and connected security processes are normal.
- Record the final version, validation result, change owner, and any remaining exception in the change record.
Reduce exposure while work is underway
Keep FortiSandbox management access private or tightly limited to authorized administrators. If the maintenance cannot happen immediately, escalate the risk and use a documented, broad exposure-reduction plan such as trusted-network access controls and stronger identity protections. A firewall or edge control may buy time, but it cannot replace the Fortinet-supported update.
Review and communicate accurately
Review your normal security and change-management records for unexpected service, administrative, or configuration activity around the exposure window. Preserve evidence through your internal process, and do not announce an incident unless it has been confirmed. Customer communication should state the expected maintenance impact and support contact without implying an outage or compromise that has not been established.
Related Fix I.T. Phill guidance
- Fix I.T. Phill Security hub
- WordPress support and maintenance guidance for web teams coordinating a security maintenance window.
- cPanel and WHM maintenance guidance for hosting teams coordinating related server work.
