Defused Cyber reported on June 15 that it observed exploitation attempts against three Fortinet FortiSandbox vulnerabilities within a 24 hour window via its honeypot network. CVE-2026-39813, a CVSS 9.1 path traversal vulnerability in the FortiSandbox JRPC API, allows an unauthenticated attacker to bypass authentication using crafted HTTP requests and access sensitive system data including configuration backups and version details. CVE-2026-39808, carrying a CVSS score as high as 9.8 depending on the scoring source, is an OS command injection flaw allowing unauthenticated remote code execution as root. Both were patched by Fortinet in April 2026 and credited to Fortinet’s own PSIRT team and a researcher at KPMG Spain respectively.
CVE-2026-25089, the third flaw, was covered in this brief in Issue 60 on June 11 as a newly disclosed and patched command injection vulnerability affecting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. Defused noted that the exploitation attempt against this flaw shows signs of being generated with AI assistance and appears unreliable, with no fully working public exploit yet disclosed. Despite the apparent quality issues in the exploit code, attackers continue attempting it against exposed systems.
Fortinet has not publicly responded to inquiries about the scope of this exploitation activity. FortiSandbox products are widely deployed in enterprise environments specifically to detect and analyse advanced malware threats, connecting to other Fortinet security products through the Security Fabric to enforce blocking decisions based on its verdicts.
- Confirm FortiSandbox is upgraded to 4.4.9 or later, or 5.0.6 or later, depending on your deployment branch. This addresses all three actively exploited CVEs.
- Review FortiSandbox access logs for crafted HTTP requests to the JRPC API or unexpected administrative API calls dating back to April, in case earlier exploitation attempts succeeded before patches were applied.
- If FortiSandbox returned any unusual or unexpectedly clean threat verdicts in environments that were running unpatched versions, treat those verdicts as unreliable and re-scan the relevant files or traffic through an alternate analysis path.
Cisco disclosed on June 15 that it had identified active exploitation of CVE-2026-20262, an arbitrary file write vulnerability in the web interface of Catalyst SD-WAN Manager, formerly known as SD-WAN vManage. The flaw stems from inadequate validation of user-supplied input during a file upload process. An authenticated attacker with valid write-access credentials can send crafted HTTP requests to an affected API endpoint to create or overwrite files on the underlying operating system, which can subsequently be used to escalate privileges to root.
Cisco stated it discovered the vulnerability internally and became aware of limited, targeted exploitation in June 2026. The company did not disclose extensive technical details about the observed attacks but advised administrators to review SD-WAN Manager logs for attempts to upload index.jsp or .war files, which is consistent with the exploitation technique. CISA added the flaw to its Known Exploited Vulnerabilities catalog, setting a remediation deadline of June 29, 2026 for federal civilian agencies. The vulnerability affects all Catalyst SD-WAN Manager deployment types, including on-premises, Cloud-Pro, Cisco Managed Cloud, and FedRAMP government deployments.
- Apply Cisco’s patch for CVE-2026-20262 to all Catalyst SD-WAN Manager deployments immediately, regardless of deployment type.
- Review SD-WAN Manager logs for unexpected uploads of index.jsp or .war files, the indicator Cisco specifically called out for this exploitation technique.
- Audit which accounts hold write-access credentials on SD-WAN Manager, since exploitation requires valid write-access credentials rather than unauthenticated access. Reducing the population of accounts with write access reduces the attack surface for this specific flaw.
CISA added CVE-2026-54420 to its Known Exploited Vulnerabilities catalog on June 16, 2026, confirming active exploitation. The vulnerability exists in LiteSpeed cPanel Plugin versions before 2.4.8, as distributed in LiteSpeed WHM Plugin before 5.3.2.0, and affects shared hosting servers running CloudLinux with CageFS. The plugin mishandles symlinks provided by a user who has FTP or web shell access, allowing that user to escalate privileges to root.
Namecheap brought the issue to LiteSpeed’s attention on May 31, 2026. LiteSpeed has urged users to upgrade to LiteSpeed WHM Plugin v5.3.2.1 or higher, which bundles the patched cPanel plugin v2.4.8. The specific technical details of how the vulnerability is being exploited in the wild, and whether any of those attacks have succeeded, have not been publicly disclosed as of today.
This follows CVE-2026-48172, a separate LiteSpeed cPanel plugin privilege escalation vulnerability that CISA added to KEV on May 26 after confirming it had been exploited as a zero-day. That earlier flaw affected the LiteSpeed user-end cPanel plugin specifically and was patched in version 2.4.5. LiteSpeed stated at the time that its WHM plugin was not affected by that particular flaw, though the user-end plugin is bundled with the WHM plugin in most deployments.
- Upgrade to LiteSpeed WHM Plugin v5.3.2.1 or higher, which bundles the patched cPanel plugin v2.4.8, on all shared hosting servers running CloudLinux or CageFS.
- Verify the actual running plugin version directly on each host rather than relying on inventory records, since hosted and shared environments are particularly prone to version drift between documented and deployed software.
- Review recently created user accounts and files with elevated permissions on affected hosting servers for signs of successful privilege escalation, particularly if patching has been delayed.