US authorities have ordered a rush patch on a Fortinet security product. The lesson is one every business already knows.
Cyber Security

US authorities have ordered a rush patch on a Fortinet security product. The lesson is one every business already knows.

Two critical flaws in Fortinet's FortiSandbox let an attacker take it over with no password. CISA put them on its must-patch list with a deadline of Sunday 19 July.

17 July 20264 min read

On 16 July the US Cybersecurity and Infrastructure Security Agency added two flaws in Fortinet's FortiSandbox to its Known Exploited Vulnerabilities list, the catalogue it keeps for security holes being used in real attacks. It gave federal agencies until Sunday 19 July to patch or pull the affected kit offline. FortiSandbox is a security appliance that inspects suspicious files and web links to work out whether they are malware, so it sits close to the heart of a network's defences. The two flaws, tracked as CVE-2026-39808 and CVE-2026-25089, are both rated 9.1 out of 10 for severity.

What the flaws let an attacker do

Both are what is called a command injection flaw, which means an attacker can send a specially built web request to the device and have it run their own commands. No password and no user interaction are needed. Because FortiSandbox runs with the highest level of access, taking it over hands an attacker deep control of the very system meant to spot threats. Fortinet released fixes for these earlier in the year, so the patches have been available for months. The risk now sits with the machines that have not had them applied.

A word on the 'under attack' label

There is some debate about how widely these flaws are being used. CISA only adds a flaw to this list when it has evidence of real-world exploitation, and security researchers have reported attempts against both. Fortinet has not publicly confirmed active exploitation, and one of the public attack tools looks unreliable. None of that changes the call. When a fix has been out for months and a government agency sets a hard deadline to apply it, the safe move is to get it on rather than wait to find out who was right.

How much should a smaller business worry

Plainly: most small firms do not run a FortiSandbox themselves. It is enterprise and managed-provider kit rather than something sat in a ten-person office. The reason it still matters to you is the pattern, not the product. An internet-facing security box, carrying a known flaw with a fix already out, is exactly the kind of soft target attackers hunt for. Plenty of businesses do run a Fortinet firewall, and plenty more rely on an IT provider whose own equipment protects dozens of clients at once. When that shared kit falls behind on updates, every business behind it is exposed.

What to do

If you run any Fortinet equipment, the question for whoever manages your IT is a plain one: is our Fortinet kit on the latest firmware, and were these July fixes applied? If your IT is outsourced, it is fair to ask the same about the provider's own systems, because their equipment often protects your business too. If nobody can give you a clear yes, that uncertainty is the finding worth acting on this week.

What this means for your business

Security appliances are meant to be the part of your setup you can forget about, which is exactly why they drift out of date. The flaws here are serious, but the fix is the ordinary one: keep internet-facing kit patched as updates land, servers and security devices first. For the networks we look after we track firmware across every device and apply tested updates on a set schedule, so a known hole does not sit open for weeks. If you are not sure when your firewall or security kit was last updated, that is worth pinning down now.

#WEARECOBALT

Ready when you are.

Tell us what's slowing your business down. We'll tell you exactly how we'd fix it — plainly, with no obligation.