Skip to content
Tech News
← Back to articles

CVE-2026-25089: FortiSandbox unauthenticated command injection added to CISA KEV

read original more articles
Why This Matters

The discovery of CVE-2026-25089 highlights a critical security flaw in Fortinet FortiSandbox that allows unauthenticated command injection, posing significant risks to organizations relying on this security tool. Its active exploitation underscores the urgency for affected users to update their systems and implement mitigations to prevent potential breaches.

Key Takeaways

JULY 16, 2026 CVSS 9.8 · CRITICAL · ACTIVELY EXPLOITED 5 MIN READ

CVE-2026-25089: Fortinet FortiSandbox Unauthenticated OS Command Injection — How to Find Exposed Instances on Your Network

Fortinet FortiSandbox contains an unauthenticated OS command injection vulnerability in its web interface. Fortinet's CNA record assigns CVSS 9.8, while its PSIRT advisory lists 9.1; NVD has not issued an independent score. Defused reported exploitation attempts in mid-June, and CISA added CVE-2026-25089 to KEV on July 16 with a July 19 deadline for applicable FCEB systems. This is the third FortiSandbox vulnerability exploited in the wild within two months.

The Vulnerability

CVE-2026-25089 (CWE-78: Improper Neutralization of Special Elements used in an OS Command) is an OS command injection in FortiSandbox's web UI. The flaw is reported to affect the "start VNC" feature — an attacker can inject shell metacharacters via JSON payloads in HTTP requests to this endpoint. No authentication is required, no user interaction is needed, and attack complexity is low.

CVSS: 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) — Fortinet CNA record; Fortinet PSIRT advisory lists 9.1; NVD has not published an independent assessment

9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) — Fortinet CNA record; Fortinet PSIRT advisory lists 9.1; NVD has not published an independent assessment CWE: CWE-78 (OS Command Injection)

CWE-78 (OS Command Injection) AFFECTED: FortiSandbox 4.2.x (all versions), 4.4.0–4.4.8, 5.0.0–5.0.5; FortiSandbox Cloud 5.0.4–5.0.5; FortiSandbox PaaS 5.0.4–5.0.5

FortiSandbox 4.2.x (all versions), 4.4.0–4.4.8, 5.0.0–5.0.5; FortiSandbox Cloud 5.0.4–5.0.5; FortiSandbox PaaS 5.0.4–5.0.5 FIXED: FortiSandbox 4.4.9+, 5.0.6+; Cloud/PaaS 5.0.6+; the CNA record lists 4.2 as affected but Fortinet's advisory does not provide a 4.2 remediation — contact Fortinet for migration guidance

FortiSandbox 4.4.9+, 5.0.6+; Cloud/PaaS 5.0.6+; the CNA record lists 4.2 as affected but Fortinet's advisory does not provide a 4.2 remediation — contact Fortinet for migration guidance EXPLOITED: Active exploitation confirmed since mid-June 2026 — CISA KEV listed July 16, 2026 · BOD 26-04 deadline July 19, 2026 (FCEB agencies)

... continue reading