CVE-2026-25089
Published: 09 June 2026
Summary
CVE-2026-25089 is a critical-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortisandbox. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25089 is an OS command injection vulnerability, tracked under CWE-78, that affects multiple versions of Fortinet FortiSandbox including 5.0.0-5.0.5, 4.4.0-4.4.8, all releases of 4.2, and corresponding FortiSandbox Cloud and PaaS builds 5.0.4-5.0.5. The flaw stems from improper neutralization of special elements in OS commands and carries a CVSS 3.1 base score of 9.8.
An unauthenticated remote attacker can exploit the issue by sending specially crafted HTTP requests to the affected appliance, resulting in arbitrary command execution with full control over confidentiality, integrity, and availability of the system.
The Fortinet advisory FG-IR-26-141 provides official details on the vulnerability and is the primary source for mitigation guidance, including recommended upgrade paths for each affected branch.
EPSS remains low and unchanged at 0.0203 with no observed increase after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-35443
Vulnerability details
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may…
more
allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing FortiSandbox appliance enables remote unauthenticated exploitation (T1190) resulting in arbitrary Unix shell command execution (T1059.004).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of untrusted input in HTTP requests, preventing the OS command injection described in CWE-78.
Mandates timely application of vendor patches that remediate the command-injection flaw in the affected FortiSandbox versions.
Enforces boundary protection and traffic filtering that can restrict or deny the crafted HTTP requests used to trigger the vulnerability.