CVE-2026-25089 – FortiSandbox
“Security tools lose their value when attackers can turn them into command execution platforms.”
Fortinet patched CVE-2026-25089 in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. This OS command injection vulnerability (CWE-78) could allow an unauthenticated attacker to execute unauthorized commands through specially crafted HTTP requests. The CVSS score is 9.1, which is Critical severity.
The vulnerability affects FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, all FortiSandbox 4.2 versions, FortiSandbox Cloud 5.0.4 through 5.0.5, and FortiSandbox PaaS 5.0.4 through 5.0.5. Successful exploitation could allow remote code execution without requiring authentication or user interaction. No verified exploitation, zero-day activity, or public proof-of-concept activity has been confirmed.
Key Details
- Affected Product
- Fortinet Fortisandbox
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-78