A large-scale credential-theft campaign has compromised approximately 75,000 Fortinet firewall devices, exfiltrating stored passwords. The attack exploits exposed management interfaces or known vulnerabilities to harvest credentials at scale. This poses a significant risk to organisations using FortiGate appliances, particularly those with internet-facing management planes.

Security Architect’s Take: Immediately rotate all credentials associated with affected Fortinet devices, including VPN accounts, local admin accounts, and any downstream systems that share those credentials. Audit your FortiGate estate for internet-exposed management interfaces and restrict access to trusted IP ranges via firewall policy or a jump host.

Original advisory: Massive password-stealing attack hits 75k Fortinet firewalls

Three critical vulnerabilities in Fortinet’s FortiSandbox product have been actively exploited by unknown attackers in the wild. Patches are available for all three flaws, making urgent remediation essential for any organisation running FortiSandbox. The active exploitation status significantly raises the risk, as attackers are already leveraging these weaknesses before many organisations have had a chance to respond.

Security Architect’s Take: If FortiSandbox is deployed anywhere in your environment — on-premises or integrated with cloud workloads — prioritise patching immediately and review logs for indicators of compromise prior to the patch window. Isolate affected appliances from the network if an immediate upgrade is not possible.

Original advisory: Three critical Fortinet sandbox bugs splattered by unknown attackers

Attackers are actively exploiting three vulnerabilities in Fortinet FortiSandbox, a network security sandboxing product, including a critical path traversal flaw (CVE-2026-39813, CVSS 9.1) in its JRPC API. Two additional CVEs — CVE-2026-39808 and CVE-2026-25089 — are also being abused in the wild, with at least one patched only last week. Active exploitation makes this an urgent patching priority for any organisation running FortiSandbox.

Security Architect’s Take: Immediately apply the latest Fortinet patches for FortiSandbox and audit internet-facing exposure of the JRPC API — if it does not need to be externally accessible, restrict it at the network perimeter. Check threat intelligence feeds and FortiSandbox logs for indicators of compromise consistent with path traversal attempts.

Original advisory: Attackers Exploit Three Fortinet FortiSandbox Flaws, One Patched Last Week