The appliance whose job is to detonate malware

A sandbox exists to be attacked. You buy FortiSandbox so that suspicious files can be opened somewhere that is not your network, watched while they misbehave, and judged. It sits by design at the point where untrusted things arrive. That is what makes an unauthenticated command injection in its web interface a different category of problem from the same bug in an ordinary server.

CVE-2026-25089 is exactly that. It affects the web interface of FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS, and allows an unauthenticated attacker to execute unauthorised commands through specifically crafted HTTP requests. It carries a CVSS score of 9.1. Fortinet disclosed and patched it on 9 June 2026.

Mid-June the exploitation started, mid-July the catalog noticed

Exploitation of three FortiSandbox flaws was observed in the wild over the weekend of roughly 14 to 16 June, and independent tracking recorded exploitation of CVE-2026-39808 as early as 12 June. The security trade press carried it at the time: Help Net Security on 16 June, Qualys the following day, alongside coverage from The Hacker News and SecurityWeek. Two of the three, CVE-2026-39808 and CVE-2026-39813, had already been disclosed by Fortinet back in April. The third, CVE-2026-25089, had been patched on 9 June, days before the attacks began.

On 16 July 2026, CISA published catalog version 2026.07.16 and added three entries. Two of them are the FortiSandbox flaws, CVE-2026-25089 and CVE-2026-39808. The third is a Microsoft SharePoint deserialisation flaw, CVE-2026-58644.

Count the days. Confirmed, publicly reported, in-the-wild exploitation in the middle of June. Federal catalog entry on 16 July. Roughly thirty days separate the two, on an internet-reachable appliance with an unauthenticated remote code execution flaw, and during those thirty days the information was not secret. It was in vendor advisories and in the trade press.

The third one is still missing

Three FortiSandbox CVEs were reported as exploited in that June wave. Two were catalogued on 16 July. CVE-2026-39813, a path traversal flaw in the FortiSandbox JRPC API that can be used to bypass authentication, is not in the catalog.

This is the part that should change how the catalog is used rather than merely how fast. A KEV listing is a strong positive signal: if something is in there, it is being exploited and you should act. The absence of a listing is a much weaker signal than most patch programmes treat it as. CVE-2026-39813 was reported as exploited alongside the two that were listed, in the same wave, on the same product family, and it did not make the catalog. An organisation that patches what CISA lists and defers what CISA does not list has just deferred a flaw that attackers used in June.

A three-day clock on a change-controlled box

All three entries added on 16 July carry a remediation due date of 19 July 2026. Three days.

For an EU operator the federal deadline itself is not binding, and it is tempting to file that as an American administrative detail. It is more useful as a severity reading. A three-day due date is the catalog's way of saying it does not expect you to wait for the next window. The awkward part is the collision with reality: a sandbox appliance usually sits behind change control precisely because it inspects production traffic, and three days is not a change window in most organisations. That tension is the actual operational problem, and it does not resolve by reading the deadline more carefully.

Under NIS2 the exposure is not the American due date but the ordinary duty of care, and an unauthenticated remote code execution flaw on a security appliance, exploited in the wild for a month with a vendor patch available, is a difficult thing to explain as an accepted risk.

Rewire the trigger

The instruction here is small and specific. If your vulnerability process starts when something appears in the KEV, the process starts about a month late and it misses items entirely. That is not a criticism of the catalog, which does what it says: it records what is known to be exploited, when the evidence reaches the threshold. It is a criticism of using a confirmation feed as an early warning system.

Do three things. Subscribe directly to the PSIRT advisory feeds of every vendor whose appliances terminate untrusted traffic, because Fortinet published this in June while the catalog spoke in July. Give internet-facing security appliances their own patch lane with a shorter clock than general infrastructure, since they are simultaneously the most exposed and the most change-controlled assets you own. And check your FortiSandbox estate against all three June CVEs, not the two that were catalogued.