AI description
CVE-2026-25089 is an operating system (OS) command injection vulnerability affecting Fortinet FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. This flaw, categorized as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), allows an unauthenticated, remote attacker to execute unauthorized commands on the appliance. The vulnerability is triggered by sending specially crafted HTTP requests, specifically exploiting a second-order command injection within the JSON input of the "start VNC" feature in the web-based management interface. Successful exploitation of CVE-2026-25089 can lead to the execution of arbitrary OS commands on the underlying system. Affected versions include FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, all FortiSandbox 4.2 versions, FortiSandbox Cloud 5.0.4 through 5.0.5, and FortiSandbox PaaS 5.0.4 through 5.0.5.
- Description
- A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests
- Source
- psirt@fortinet.com
- NVD status
- Analyzed
- Products
- fortisandbox, fortisandbox_cloud, fortisandbox_paas
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- psirt@fortinet.com
- CWE-78
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
6
🚨We are observing exploitation of multiple Fortinet FortiSandbox vulnerabilities during the past 24 hours, including: CVE-2026-39813 (no previous recorded exploitation) CVE-2026-39808 CVE-2026-25089 (vibecoded, likely faulty exploit) Per our research a working exploit for
@DefusedCyber
15 Jun 2026
2979 Impressions
7 Retweets
26 Likes
7 Bookmarks
1 Reply
1 Quote
🔒 #CyberSecurity CVE-2026-25089: FortiSandbox Command Injection — Detection and Remediation Guide "Fortinet addresses CVE-2026-25089 (CVSS 9.1), a critical command injection…" 🔗 https://t.co/69695owlOS #CyberSecurity #ThreatIntel #sigmarule #kqldetection #threathunt
@SecurityAr58409
11 Jun 2026
58 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*",
"matchCriteriaId": "814D77BE-F536-42DE-B068-F92B95D68248",
"versionEndIncluding": "4.2.8",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0025C9C0-8D61-4563-96F9-F4E09DD83B26",
"versionEndExcluding": "4.4.9",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3AAEF316-2134-4398-911C-E7532CD3AFF2",
"versionEndExcluding": "5.0.6",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortisandbox_cloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D479507F-4DD8-4455-A8DB-138AD56C6822",
"versionEndExcluding": "5.0.6",
"versionStartIncluding": "5.0.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:fortinet:fortisandbox_paas:*:*:*:*:*:*:*:*",
"matchCriteriaId": "61A9A2E9-3086-4172-B3A3-212873B8C4A9",
"versionEndExcluding": "5.0.6",
"versionStartIncluding": "5.0.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]