U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Fortinet FortiSandbox and Microsoft SharePoint flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Fortinet FortiSandbox and Microsoft SharePoint flaws to its Known Exploited Vulnerabilities (KEV) catalog.
- CVE-2026-25089 (CVSS score of 9.8) Fortinet FortiSandbox OS Command Injection Vulnerability
- CVE-2026-39808 (CVSS score of 9.8) Fortinet FortiSandbox OS Command Injection Vulnerability
- CVE-2026-58644 (CVSS score of 9.8) Microsoft SharePoint Deserialization of Untrusted Data Vulnerability
This week, Microsoft’s July 2026 Patch Tuesday addressed the SharePoint remote code execution bug CVE-2026-58644, which can be triggered without authentication or user interaction. The flaw stems from the deserialization of untrusted data.
“Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.” reads the advisory. “In a network-based attack, an attacker authenticated as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server.”
Microsoft confirmed it is aware of active exploitation of this vulnerability.
The second issue added to the KeV catalog is an OS command injection flaw, tracked as CVE-2026-25089, in FortiSandbox products. The vulnerability could allow remote, unauthenticated attackers to send specially crafted HTTP requests and execute arbitrary commands on affected devices. Adham El Karn of Fortinet Product Security team discovered the vulnerability.
The last issue added to the catalog, tracked as CVE-2026-39808, is an OS command injection flaw.
“An Improper Neutralization of Special Elements used in an OS Command (‘OS command injection’) vulnerability [CWE-78] in FortiSandbox may allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests.” reads the advisory.
Cybersecurity firm Defused Cyber confirmed it’s seen active exploitation of this vulnerability within a 24-hour window.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to urgently fix these flaws by July 19, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
