CVE-2026-25089 – FortiSandbox

CVSS 9.8 CRITICAL Critical or Zero Day – Immediate Deployment

“Security tools lose their value when attackers can turn them into command execution platforms.”

Fortinet patched CVE-2026-25089 in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. This OS command injection vulnerability (CWE-78) could allow an unauthenticated attacker to execute unauthorized commands through specially crafted HTTP requests. The CVSS score is 9.1, which is Critical severity.

The vulnerability affects FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, all FortiSandbox 4.2 versions, FortiSandbox Cloud 5.0.4 through 5.0.5, and FortiSandbox PaaS 5.0.4 through 5.0.5. Successful exploitation could allow remote code execution without requiring authentication or user interaction. No verified exploitation, zero-day activity, or public proof-of-concept activity has been confirmed.

Key Details

Affected Product
Fortinet Fortisandbox
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
CWE Classification
CWE-78
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.