CISA Warns of Active Attacks on Fortinet FortiSandbox and Microsoft SharePoint Flaws
Three vulnerabilities added to the federal Known Exploited Vulnerabilities Catalog on July 16, 2026, including two OS command injection bugs in a widely deployed security appliance and a deserialization flaw in SharePoint.

The US Cybersecurity and Infrastructure Security Agency added three actively exploited security flaws to its Known Exploited Vulnerabilities Catalog on July 16, 2026, flagging real-world attacks against Fortinet FortiSandbox and Microsoft SharePoint.
What Was Added and Why It Matters
The catalog, often called the KEV list, functions as a living registry of software flaws confirmed to be in active use by attackers. A listing is not a theoretical warning. It means someone has already weaponised the bug and is using it against real targets.
Two of the new entries sit inside Fortinet FortiSandbox, a network security appliance organisations deploy to analyse suspicious files in an isolated environment before those files reach the broader network. The flaws, tracked as CVE-2026-25089 and CVE-2026-39808, are both OS command injection vulnerabilities. An attacker exploiting either one can force the appliance to execute arbitrary system commands, effectively handing over a foothold at the network perimeter. The cruel irony is sharp: a device purchased specifically to catch malware becomes the entry point.
The third vulnerability, CVE-2026-58644, is a deserialization of untrusted data bug in Microsoft SharePoint. SharePoint processes a crafted data object incorrectly, allowing a remote attacker to run arbitrary code on the server. SharePoint hosts sensitive internal documents, HR records, project files, and legal materials at organisations across every sector. Remote code execution on that platform is a high-impact outcome.
Who Must Act, and on What Timeline
Federal civilian agencies in the United States operate under Binding Operational Directive 26-04, which requires them to prioritise patching for KEV Catalog entries, particularly on internet-facing systems where exploitation would grant an attacker significant control. The directive also requires agencies to check whether a compromise already occurred before the patch was applied. Patching a system that is already breached without first hunting for signs of intrusion can trap an active threat actor inside the environment.
CISA stated publicly that the directive technically applies only to federal civilian agencies. But the agency urged all organisations, including private companies, hospitals, universities, and local governments, to treat KEV entries as high-priority remediation items. Those organisations are not legally bound, but they face the same attacker population.
According to Binding Operational Directive 22-01, the framework that established the KEV Catalog, the catalog exists because "unacceptable risks" arise when known-exploited vulnerabilities remain unpatched. That principle holds regardless of sector.
Why the Fortinet Situation Is Particularly Concerning
Security appliances occupy a trusted position in most network architectures. Firewalls, sandbox devices, and intrusion detection systems sit at chokepoints, see enormous volumes of traffic, and typically carry elevated network privileges. Defenders rarely scrutinise them as closely as they watch endpoints. Attackers know this.
The Verizon 2024 Data Breach Investigations Report noted that exploitation of vulnerabilities as an initial access vector tripled year over year, with a significant portion targeting edge devices. FortiSandbox sits squarely in that category. When command injection succeeds on a perimeter security device, the attacker does not just gain a single compromised host. They gain visibility into traffic flows and potentially a pivot point into segmented internal networks.
The SharePoint Deserialization Problem
Deserialization vulnerabilities are not new, but they remain stubbornly common. The core problem is that applications deserialize, or unpack, data they receive without adequately validating whether that data is safe. Microsoft has addressed deserialization issues in SharePoint on multiple prior occasions, which means attacker tooling for this class of bug is mature and widely shared.
Ransomware crews have historically favoured SharePoint as a target because a successful intrusion yields immediate access to file stores that organisations cannot afford to lose. Exfiltrating documents before encrypting them gives attackers a second extortion lever. IT teams managing SharePoint deployments should treat CVE-2026-58644 as an emergency-tier patch, not a routine monthly update.
What Controls Failed Here
The presence of these three bugs on the KEV Catalog points to a persistent gap that security teams understand intellectually but underestimate in practice: patch velocity on edge devices and collaboration platforms consistently lags behind attacker capability. Organisations tend to patch workstations and widely publicised browser bugs quickly. Security appliances and server-side collaboration tools often sit in a slower cycle, sometimes because change-management processes treat them as infrastructure that should not be touched frequently.
There is also a monitoring gap. OS command injection on a FortiSandbox device would generate unusual process execution events. Deserialization exploitation on SharePoint would produce anomalous web application log entries. Both are detectable, but only if teams are actively hunting for indicators of compromise rather than waiting for an alert to fire. The 2024 DBIR found that the median time from initial compromise to discovery was still measured in days to weeks for many organisations. That gap is where attackers establish persistence.
Employee-facing systems like SharePoint also represent a human-awareness dimension that is easy to overlook. Phishing emails frequently contain links that direct users to attacker-controlled pages designed to harvest SharePoint credentials or trick users into opening malicious documents hosted on compromised SharePoint instances. Organisations that train staff to recognise suspicious document requests and unexpected login prompts reduce the downstream blast radius when a server-side vulnerability is successfully exploited, because attackers have fewer harvested credentials to move laterally after gaining initial access.
What IT Teams Should Do Right Now
Prioritise these four actions:
- Check installed versions of Fortinet FortiSandbox against Fortinet's published security advisory for CVE-2026-25089 and CVE-2026-39808, and apply vendor patches immediately.
- Apply Microsoft's security update for CVE-2026-58644 in SharePoint, and review SharePoint server logs for unusual HTTP requests, unexpected process spawning, or new scheduled tasks created around the time of potential exposure.
- Search for indicators of prior compromise before declaring the patched system clean. A patched but already-breached server requires incident response, not just an update.
- Confirm that these systems sit behind multi-factor authentication wherever administrative access is required. Credential-based follow-on access is how attackers maintain persistence after an initial exploit.
CISA has not attributed the active exploitation to a specific threat actor or disclosed victim counts, which is consistent with early-stage catalog listings. More technical detail typically surfaces in the weeks following a KEV addition as incident responders publish findings.
The CISA KEV Catalog is publicly accessible and searchable. Every IT and security team should have a process that checks it at minimum weekly. The Train2Secure pricing page outlines how organisations of all sizes can build layered training programs that complement technical patching workflows. If a system cannot be patched immediately, compensating controls and heightened monitoring are the next best option. Waiting is not.
How patch delays and weak user awareness combine to amplify these vulnerabilities
- Audit your patch management cadence for edge devices and collaboration platforms separately from endpoint update cycles, since these systems routinely lag behind.
- Deploy log monitoring and anomaly detection on SharePoint servers and perimeter security appliances to catch exploitation attempts before attackers establish persistence.
- Train staff to recognise phishing lures and suspicious document requests that exploit the trust users place in SharePoint links and notifications.
Train2Secure helps security teams build the human-layer controls that technical patches alone cannot cover, starting with a [free trial](https://train2secure.com/free-trial) that requires no credit card.
Start free, no card requiredSources & further reading
- https://www.cisa.gov/news-events/alerts/2026/07/16/cisa-adds-three-known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://nvd.nist.gov/vuln/detail/CVE-2026-58644
- https://nvd.nist.gov/vuln/detail/CVE-2026-25089
- https://nvd.nist.gov/vuln/detail/CVE-2026-39808
- https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities
Frequently asked questions
What is the CISA Known Exploited Vulnerabilities Catalog?
The KEV Catalog is a list maintained by the US Cybersecurity and Infrastructure Security Agency of software vulnerabilities confirmed to be actively exploited in real-world attacks. Federal civilian agencies are required to patch these bugs on a set schedule under Binding Operational Directive 22-01, and CISA recommends all organisations treat them as high-priority remediation items.
How dangerous are the Fortinet FortiSandbox vulnerabilities CVE-2026-25089 and CVE-2026-39808?
Both are OS command injection flaws. A successful exploit lets an attacker execute arbitrary system commands on the FortiSandbox appliance, which sits at the network perimeter and carries elevated trust. Compromise of such a device can expose internal network segments and traffic visibility to the attacker.
What is a deserialization vulnerability and why is CVE-2026-58644 in SharePoint serious?
Deserialization vulnerabilities occur when an application unpacks data it receives without properly validating whether that data is safe to process. In SharePoint, CVE-2026-58644 allows a remote attacker to supply crafted data that triggers arbitrary code execution on the server, potentially exposing all documents and data stored on that SharePoint instance.
Do private companies have to comply with the CISA KEV Catalog patching requirements?
No. Binding Operational Directive 26-04 legally applies only to US federal civilian agencies. However, CISA explicitly urges all organisations, including private businesses, healthcare providers, and local governments, to treat KEV entries as top-priority patches because they face the same threat actors targeting federal networks.



