What is the CVSS score of CVE-2026-25089?

CVE-2026-25089 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 2.0%.

Which versions of Fortinet FortiSandbox are affected by CVE-2026-25089?

Fortinet FortiSandbox (on-premise, Cloud, and PaaS) contains a critical unauthenticated remote code execution vulnerability (CVSS 9.8) allowing attackers to execute arbitrary OS commands via the…

Is there a public PoC exploit available for CVE-2026-25089?

Yes, a public proof-of-concept exploit is available for CVE-2026-25089. Prioritise patching immediately. EPSS: 2.0%.

How to fix or mitigate CVE-2026-25089?

Within 24 hours: Inventory all FortiSandbox instances (on-premise, Cloud, and PaaS); audit network accessibility of management interfaces; enable detailed logging and alerting for suspicious HTTP requests to management endpoints. Within 7 days: Implement network segmentation restricting management interface access to trusted administrator IP ranges only; deploy WAF rules to detect and block exploitation attempts; escalate to Fortinet for patch availability and timeline. Within 30 days: Establish incident response procedures for potential FortiSandbox compromise; evaluate alternative malware analysis solutions if vendor patch timeline extends beyond organizational risk tolerance; document any instances running in internet-facing or cloud-native architectures for priority remediation.

Fortinet FortiSandbox CVE-2026-25089

EUVD-2026-35443 CRITICAL

OS Command Injection (CWE-78)

2026-06-09 fortinet

GHSA-gw24-hwf5-92h2

Fortinet Command Injection

9.8

CVSS 3.1 · Vendor: fortinet

Severity by source

Vendor (fortinet) PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (fortinet) · only source for this CVE.

CVSS VectorVendor: fortinet

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Jun 09, 2026 - 16:28 vuln.today

v3 (cvss_changed)

Analysis Updated

Jun 09, 2026 - 16:27 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Jun 09, 2026 - 16:22 vuln.today

cvss_changed

CVSS changed

Jun 09, 2026 - 16:22 NVD

9.1 (CRITICAL) 9.8 (CRITICAL)

Analysis Generated

Jun 09, 2026 - 15:46 vuln.today

CVE Published

Jun 09, 2026 - 14:27 nvd

CRITICAL 9.1

DescriptionCVE.org

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests

Articles & Coverage 1

News Critical OS Command Injection in Fortinet FortiSandbox - CVE-2026-25089 Jun 09, 2026

AnalysisAI

Unauthenticated OS command injection in Fortinet FortiSandbox (on-premise, Cloud, and PaaS variants) allows remote attackers to execute arbitrary operating system commands by sending specifically crafted HTTP requests to the management interface. The flaw carries a CVSS 9.8 rating with network-reachable, no-authentication, no-user-interaction characteristics, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify reachable FortiSandbox HTTP interface

Delivery

Craft HTTP request with shell metacharacters in vulnerable parameter

Exploit

Server passes input unsanitized to OS command (CWE-78)

Execution

Shell executes injected commands as service account

Persist

Drop web shell or reverse shell for persistence

Impact

Tamper with sandbox verdicts and pivot into management fabric

Access

Identify reachable FortiSandbox HTTP interface

Delivery

Craft HTTP request with shell metacharacters in vulnerable parameter

Exploit

Server passes input unsanitized to OS command (CWE-78)

Execution

Shell executes injected commands as service account

Persist

Drop web shell or reverse shell for persistence

Impact

Tamper with sandbox verdicts and pivot into management fabric

Vulnerability AssessmentAI

Exploitation	The attacker needs only network reachability to the FortiSandbox HTTP service and the ability to send a specifically crafted HTTP request - no credentials, no user interaction, and no non-default toggle is called out in the advisory, consistent with PR:N/UI:N/AC:L in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H describes the worst-case profile: remotely reachable, low complexity, no authentication, no user interaction, and full confidentiality/integrity/availability impact - consistent with a 9.8 critical score and with the description's wording of an unauthenticated attacker reaching the HTTP endpoint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who can reach the FortiSandbox HTTP interface - for example a compromised internal host, or an internet-exposed management portal - sends a crafted HTTP request whose parameters contain shell metacharacters that the vulnerable handler passes unsanitized to an OS command, yielding code execution under the service account. From that foothold the attacker can read submitted sample files and analysis verdicts, tamper with detection logic to whitelist their own malware, and pivot into the management fabric the sandbox is trusted to talk to (FortiGate, FortiAnalyzer, mail gateways). …
Remediation	Patch available per vendor advisory FG-IR-26-141 (https://fortiguard.fortinet.com/psirt/FG-IR-26-141) - consult that page for the exact fixed builds on the 5.0.x and 4.4.x branches and upgrade FortiSandbox on-premise appliances accordingly; FortiSandbox Cloud and PaaS tenants should confirm with Fortinet that the managed service has been remediated. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all FortiSandbox instances (on-premise, Cloud, and PaaS); audit network accessibility of management interfaces; enable detailed logging and alerting for suspicious HTTP requests to management endpoints. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-25089 vulnerability details – vuln.today

Back

Fortinet FortiSandbox CVE-2026-25089

Severity by source

CVSS VectorVendor: fortinet

Lifecycle Timeline

DescriptionCVE.org

Articles & Coverage 1

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code