CVE-2026-25089
published 2026-06-09CVE-2026-25089: A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
23.39%
97.5th percentile
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet | — | — |
| fortinet | fortisandbox | — | — |
| fortinet | fortisandbox | 4.2.0 – 4.2.8 | — |
| fortinet | fortisandbox | 4.2.1 – 4.2.8 | — |
| fortinet | fortisandbox | >= 4.4.0 < 4.4.9 | 4.4.9 |
| fortinet | fortisandbox | 4.4.0 – 4.4.8 | — |
| fortinet | fortisandbox | >= 5.0.0 < 5.0.6 | 5.0.6 |
| fortinet | fortisandbox | 5.0.0 – 5.0.5 | — |
| fortinet | fortisandbox_cloud | >= 5.0.4 < 5.0.6 | 5.0.6 |
| fortinet | fortisandbox_cloud | 5.0.4 – 5.0.5 | — |
| fortinet | fortisandbox_paas | >= 5.0.4 < 5.0.6 | 5.0.6 |
| fortinet | fortisandbox_paas | 5.0.4 – 5.0.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2026-25089 is exploited via specifically crafted HTTP requests targeting the FortiSandbox WEB UI; monitor for anomalous/malformed HTTP requests to FortiSandbox management interfaces from unauthenticated sources ↗
- →The vulnerable feature is the 'start vnc' functionality accepting JSON input; inspect HTTP requests containing JSON payloads directed at the VNC-related API endpoint for OS command injection patterns (CWE-78) ↗
- →Active exploitation of CVE-2026-25089 has been observed in the wild; treat any FortiSandbox exposure as actively targeted and prioritize detection/patching ↗
- →The circulating exploit for CVE-2026-25089 shows signs of AI-generated development and is reportedly faulty; no fully working public exploit has been disclosed, but attempted exploitation activity should still be expected ↗
- ·Affected versions span FortiSandbox 5.0.0–5.0.5, 4.4.0–4.4.8, all 4.2.x versions, FortiSandbox Cloud 5.0.4–5.0.5, and FortiSandbox PaaS 5.0.4–5.0.5; scope detection rules accordingly ↗
- ·This is a second-order OS command injection (CWE-78) via JSON input, meaning the injected payload may be stored and triggered later rather than immediately — standard first-order injection detection may miss it ↗
- ·CVSS score differs between sources: NVD lists 9.1 while Fortinet's own PSIRT advisory rates it 9.8 (Critical); use 9.8 for internal risk prioritization ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox
ghsa_unreviewed·2026-06-09
CVE-2026-25089 [CRITICAL] CWE-78 A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests
VulnCheck
Fortinet fortisandbox Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2026·CVSS 9.8
CVE-2026-25089 [CRITICAL] Fortinet fortisandbox Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Fortinet fortisandbox Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests
Affected: Fortinet fortisandbox
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://x.com/DefusedCyber/status/2066575288503255274
Fortinet
Second-Order OS Command Injection via JSON Input on start vnc feature
vendor_fortinet·2026-06-09·CVSS 9.8
CVE-2026-25089 [CRITICAL] CWE-78 Second-Order OS Command Injection via JSON Input on start vnc feature
FG-IR-26-141: Second-Order OS Command Injection via JSON Input on start vnc feature
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests
CVEs: CVE-2026-25089
CWEs: CWE-78
CVSS: 9.8 (critical)
Affected products: FortiSandbox, Fortinet
No detection rules found.
No public exploits indexed.
Checkpoint
22nd June – Threat Intelligence Report
blogs_checkpoint·2026-06-22
CVE-2026-42824 22nd June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 22nd June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 22nd June, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Texas Parks and Wildlife Department has been affected by a third-party data breach involving its license system vendor. The incident exposed driver’s license information, passport numbers, emails, phone numbers, and residential addresses for 3,087,721 hunting and fishing license customers. Social Security numbers and payment dat
Bleepingcomputer
Critical Fortinet FortiSandbox flaws now exploited in attacks
blogs_bleepingcomputer·2026-06-16·CVSS 6.5
CVE-2026-39813 [MEDIUM] Critical Fortinet FortiSandbox flaws now exploited in attacks
## Critical Fortinet FortiSandbox flaws now exploited in attacks
## Sergiu Gatlan
Attackers are now exploiting several critical vulnerabilities in Fortinet's FortiSandbox cyber threat detection platform, according to threat intelligence company Defused.
Fortinet released security updates for these three critical-severity security flaws (tracked as CVE-2026-39813 , CVE-2026-39808 , and CVE-2026-25089 ) on April 14.
These flaws allow unauthenticated threat actors to escalate privileges and execute unauthorized code remotely through low-complexity command injection attacks that require no user interaction. To resolve these issues and block incoming attacks, admins must upgrade affected deployments to the latest released versions.
"We are observing exploitation of multiple Fortinet FortiS
Hackernews
Attackers Exploit Three Fortinet FortiSandbox Flaws, One Patched Last Week
blogs_hackernews·2026-06-16·CVSS 9.8
CVE-2026-39813 [CRITICAL] Attackers Exploit Three Fortinet FortiSandbox Flaws, One Patched Last Week
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Attackers Exploit Three Fortinet FortiSandbox Flaws, One Patched Last Week
Bad actors are exploiting multiple security vulnerabilities in Fortinet FortiSandbox, according to threat intelligence firm Defused Cyber.
In a post shared on X, the company said it has observed exploitation of CVE-2026-39813, CVE-2026-39808 , and CVE-2026-25089 over the past 24 hours.
CVE-2026-39813 (CVSS score: 9.1) refers to a path traversal vulnerability in FortiSandbox JRPC API that could allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests.
The second flaw, CVE-2026-39808 (CVSS score: 9.1), is a case o
Hackernews
Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities
blogs_hackernews·2026-06-10·CVSS 10.0
CVE-2026-25089 [CRITICAL] Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities
Fortinet, Ivanti, and SAP have released security updates to address multiple critical security vulnerabilities that could result in arbitrary code execution and information disclosure.
The security flaw patched by Fortinet relates to a command injection vulnerability in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI. It's tracked as CVE-2026-25089 (CVSS score: 9.1).
"An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allo
2026-06-09
Published
Exploited in the wild