CVE-2026-25089

CRITICAL · 9.8 EPSS 2.7%

hype LIKELY HACK · 78 hack

Vendor patching + active exploitation reported; no KEV listing yet softens signal.

What: OS command injection in Fortinet FortiSandbox 4.2–5.0.5 and Cloud/PaaS variants allowing unauthenticated remote code execution via malformed HTTP requests (CVSS 9.8 CRITICAL).

Why it matters: Fortinet issued patches within 8 days of disclosure. Social chatter confirms active exploitation of this CVE alongside related FortiSandbox flaws (CVE-2026-39813, CVE-2026-39808). Multiple security vendors and threat intelligence firms report attackers weaponizing the vulnerability. Unauthenticated RCE on a sandbox/threat-analysis appliance creates direct risk to downstream security operations.

Where it's seen: Vendor advisories, Help Net Security and TheHackerNews coverage citing active attacks, security vendor (SecPod) mitigation guidance, multi-language social alerts flagging critical severity and exploitation.

RISK: CRITICAL — Unauthenticated RCE on security appliance; active exploitation confirmed by vendors.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 6/17/2026, 6:39:31 AM

Description

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests

CVSS 3.1 breakdown

Exploitability 3.9 · Impact 5.9

vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack vector: Network
Complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

Weaknesses

CWE-78

References

Other · 1

https://fortiguard.fortinet.com/psirt/FG-IR-26-141