Cyber Resilience

CVE-2026-25089

CriticalRCEUpdated

Published: 09 June 2026

Published
09 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2339 97.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25089 is a critical-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortisandbox. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25089 is an OS command injection vulnerability, tracked under CWE-78, that affects multiple versions of Fortinet FortiSandbox including 5.0.0-5.0.5, 4.4.0-4.4.8, all releases of 4.2, and corresponding FortiSandbox Cloud and PaaS builds 5.0.4-5.0.5. The flaw stems from improper neutralization of special elements in OS commands and carries a CVSS 3.1 base score of 9.8.

An unauthenticated remote attacker can exploit the issue by sending specially crafted HTTP requests to the affected appliance, resulting in arbitrary command execution with full control over confidentiality, integrity, and availability of the system.

The Fortinet advisory FG-IR-26-141 provides official details on the vulnerability and is the primary source for mitigation guidance, including recommended upgrade paths for each affected branch.

EPSS remains low and unchanged at 0.0203 with no observed increase after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may…

more

allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in public-facing FortiSandbox appliance enables remote unauthenticated exploitation (T1190) resulting in arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

fortinet
fortisandbox
4.2.0 — 4.2.8 · 4.4.0 — 4.4.9 · 5.0.0 — 5.0.6
fortinet
fortisandbox cloud
5.0.4 — 5.0.6
fortinet
fortisandbox paas
5.0.4 — 5.0.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and neutralization of untrusted input in HTTP requests, preventing the OS command injection described in CWE-78.

prevent

Mandates timely application of vendor patches that remediate the command-injection flaw in the affected FortiSandbox versions.

prevent

Enforces boundary protection and traffic filtering that can restrict or deny the crafted HTTP requests used to trigger the vulnerability.

References