Attackers are actively exploiting two critical vulnerabilities in Fortinet's FortiSandbox product, identified as CVE-2026-39808 and CVE-2026-25089, which have a CVSS score of 9.1. These OS command injection flaws allow unauthorized users to execute arbitrary commands via crafted HTTP requests, without requiring credentials or user interaction. Fortinet released patches for these vulnerabilities, with the fix for CVE-2026-39808 issued in April. The Cybersecurity and Infrastructure Security Agency (CISA) has taken notice of the active exploitation and has issued a patch order. The fact that these flaws are being actively targeted by attackers underscores the urgency of applying the available patches1. This matters to security practitioners because the exploitation status of CVE-2026-39808, in particular, dictates whether this is a patch-now situation or one that requires ongoing monitoring.