Fortinet's advisory names two vulnerabilities in FortiSandbox and calls them "actively exploited." CISA's emergency directive, issued the same week, gives federal civilian agencies until Sunday to patch, a compression normally reserved for flaws already sitting in a known exploit chain rather than freshly disclosed ones. FortiSandbox sits inline on the inspection path for file detonation, which means a working exploit there does not just compromise a box, it blinds the control the network was relying on to catch the next stage. The two-day window says CISA has telemetry on active use it has not detailed publicly.
The precedent is FortiOS SSL-VPN in 2023 and 2024, where Fortinet's own disclosures consistently trailed exploitation by weeks, and organizations patching on Fortinet's calendar rather than CISA's ended up remediating intrusions instead of vulnerabilities. FortiSandbox deployments in Hong Kong's banking sector fall under HKMA's incident-notification rules the moment exploitation is confirmed rather than suspected, and the operative control here is not the patch, which lands after compromise, but whether SOC teams flagged FortiSandbox as a detonation-path asset in their exposure inventory before this week. Assets tagged that way get isolated by Sunday, July 20. Assets that weren't get discovered during incident response.