JULY 16, 2026 CVSS 9.8 · CRITICAL · ACTIVELY EXPLOITED 5 MIN READ
CVE-2026-25089: Fortinet FortiSandbox Unauthenticated OS Command Injection — How to Find Exposed Instances on Your Network
Fortinet FortiSandbox contains an unauthenticated OS command injection vulnerability in its web interface. Fortinet's CNA record assigns CVSS 9.8, while its PSIRT advisory lists 9.1; NVD has not issued an independent score. Defused reported exploitation attempts in mid-June, and CISA added CVE-2026-25089 to KEV on July 16 with a July 19 deadline for applicable FCEB systems. This is the third FortiSandbox vulnerability exploited in the wild within two months.
The Vulnerability
CVE-2026-25089 (CWE-78: Improper Neutralization of Special Elements used in an OS Command) is an OS command injection in FortiSandbox's web UI. The flaw is reported to affect the "start VNC" feature — an attacker can inject shell metacharacters via JSON payloads in HTTP requests to this endpoint. No authentication is required, no user interaction is needed, and attack complexity is low.
CVSS: 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) — Fortinet CNA record; Fortinet PSIRT advisory lists 9.1; NVD has not published an independent assessment
9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) — Fortinet CNA record; Fortinet PSIRT advisory lists 9.1; NVD has not published an independent assessment CWE: CWE-78 (OS Command Injection)
CWE-78 (OS Command Injection) AFFECTED: FortiSandbox 4.2.x (all versions), 4.4.0–4.4.8, 5.0.0–5.0.5; FortiSandbox Cloud 5.0.4–5.0.5; FortiSandbox PaaS 5.0.4–5.0.5
FortiSandbox 4.2.x (all versions), 4.4.0–4.4.8, 5.0.0–5.0.5; FortiSandbox Cloud 5.0.4–5.0.5; FortiSandbox PaaS 5.0.4–5.0.5 FIXED: FortiSandbox 4.4.9+, 5.0.6+; Cloud/PaaS 5.0.6+; the CNA record lists 4.2 as affected but Fortinet's advisory does not provide a 4.2 remediation — contact Fortinet for migration guidance
FortiSandbox 4.4.9+, 5.0.6+; Cloud/PaaS 5.0.6+; the CNA record lists 4.2 as affected but Fortinet's advisory does not provide a 4.2 remediation — contact Fortinet for migration guidance EXPLOITED: Active exploitation confirmed since mid-June 2026 — CISA KEV listed July 16, 2026 · BOD 26-04 deadline July 19, 2026 (FCEB agencies)
... continue reading