TL;DR
CISA added three vulnerabilities to its Known Exploited Vulnerabilities catalog on July 16, 2026. Two affect Fortinet FortiSandbox, and one affects Microsoft SharePoint. Federal agencies must remediate all three by July 19, 2026.
Why it matters
The SharePoint entry marks a sharp reversal. Reporting on July 15 noted that Microsoft had not flagged CVE-2026-58644 as exploited, labeling it only “Exploitation More Likely.” One day later, the CISA KEV catalog listed the flaw on evidence of active exploitation.
FortiSandbox carries weight of its own. Other Fortinet products depend on its verdicts to block threats and trigger automated responses. An attacker inside that box can therefore poison decisions across the stack.
How the attacks work
FortiSandbox command injection
Both Fortinet bugs score CVSS 9.1. Each stems from improper neutralization of special elements in OS commands. Crafted HTTP requests reach the vulnerable component, and CVE-2026-25089 lets an unauthenticated attacker run commands. Fortinet’s record for CVE-2026-39808 leaves the attack vector field unfilled, so treat that detail as incomplete.
In June, threat intelligence firm Defused observed exploitation attempts against both flaws. Defused described one exploit as likely faulty. Fortinet had not confirmed in-the-wild activity at that point. CISA now has.
SharePoint deserialization
CVE-2026-58644 scores CVSS 9.8 and involves deserialization of untrusted data. CISA describes an unauthorized attacker executing code over a network. Microsoft’s own FAQ, however, states the attacker needs Site Owner rights at minimum. That gap deserves attention when you model risk.
Affected versions
- CVE-2026-25089: FortiSandbox 5.0.0-5.0.5, 4.4.0-4.4.8, 4.2 (all versions), plus Cloud and PaaS 5.0.4-5.0.5
- CVE-2026-39808: FortiSandbox 4.4.0-4.4.8
- CVE-2026-58644: Microsoft SharePoint. One KB covers both SharePoint Server 2016 and Enterprise Server 2016.
Patch and mitigation steps
Apply vendor updates now. Fortinet has fixed both FortiSandbox flaws, and Microsoft shipped the SharePoint patch in July. FCEB agencies face a July 19, 2026 deadline under BOD 26-04, which also carries forensic triage expectations. Everyone else should treat the CISA KEV catalog entries as a patch-now signal, not a suggestion.
One planning note: July’s Patch Tuesday ended support for SharePoint Server 2016 and 2019. Start mapping a migration path alongside this fix.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.