CVE-2026-25089 -- CVSS 9.8 Vulnerability Briefing
CVE-2026-25089 | CVSS 9.8 (Critical) | Exploit: PoC available
What Is It
CVE-2026-25089 is an OS command injection vulnerability affecting Fortinet FortiSandbox (on-premises), FortiSandbox Cloud, and FortiSandbox PaaS, allowing unauthenticated remote attackers to execute arbitrary operating system commands via crafted HTTP requests.
Technical Detail
The flaw stems from improper neutralization of special elements in OS commands within the FortiSandbox HTTP request handling layer, enabling an attacker to inject and execute arbitrary commands without any prior authentication. An attacker sends a specifically crafted HTTP request to the exposed interface, causing the underlying system to interpret attacker-controlled input as OS-level commands. Successful exploitation results in unauthenticated remote code execution (RCE) with the privileges of the affected service, potentially granting full system compromise of the sandbox appliance or cloud instance.
Exploitation Status
A proof-of-concept (PoC) exploit is publicly available as of this writing. This CVE is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, and active in-the-wild exploitation has not been confirmed at this time. However, the availability of a PoC combined with the critical CVSS score of 9.8 and the unauthenticated attack vector significantly lowers the barrier for exploitation and increases the likelihood of active abuse in the near term.
Who Is Targeting This
No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been identified in connection with this vulnerability. Organizations should not interpret the absence of attribution as an indicator of low risk, given the severity and public PoC availability.
What To Do
Patch immediately. Fortinet has assigned this a critical severity rating and organizations running affected versions should prioritize remediation. Affected versions include FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, all FortiSandbox 4.2 versions, FortiSandbox Cloud 5.0.4 through 5.0.5, and FortiSandbox PaaS 5.0.4 through 5.0.5. Apply the vendor-supplied patches as directed in Fortinet's security advisory. If patching cannot be completed immediately, restrict access to the FortiSandbox management interface at the network perimeter, limiting exposure to trusted IP ranges only. Monitor HTTP access logs for anomalous or malformed requests targeting the FortiSandbox interface as a detection signal. Cloud and PaaS deployments should verify with Fortinet whether vendor-side mitigations have been applied automatically or require customer action.