CVE-2026-25836
Published: 10 March 2026
Summary
CVE-2026-25836 is a high-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortisandbox Cloud. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-25836 is an OS command injection vulnerability (CWE-78) in Fortinet FortiSandbox Cloud version 5.0.4, arising from improper neutralization of special elements used in OS commands. Published on 2026-03-10, it has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H), indicating high-impact potential with network accessibility and low attack complexity once privileges are obtained.
The vulnerability can be exploited by a privileged attacker with super-admin profile and CLI access, who can send crafted HTTP requests to execute unauthorized code or commands on the affected system. Successful exploitation grants high confidentiality, integrity, and availability impacts within the target's scope.
Fortinet has issued PSIRT advisory FG-IR-26-096, available at https://fortiguard.fortinet.com/psirt/FG-IR-26-096, which provides further details on the vulnerability and recommended mitigations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10531
Vulnerability details
An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox Cloud 5.0.4, FortiSandbox PaaS 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code or commands…
more
via crafted HTTP requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection (CWE-78) via crafted HTTP requests to network-accessible FortiSandbox service enables remote exploitation of the public-facing application (T1190) and direct arbitrary Unix shell command execution (T1059.004) for a privileged admin.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of untrusted input in HTTP requests before they are used to construct OS commands, blocking the CWE-78 injection vector.
Restricts the assignment of super-admin privileges that are required to reach the vulnerable CLI path, reducing the population of accounts that can send the crafted requests.
Enforces disabling or limiting unnecessary CLI and command-execution capabilities on the FortiSandbox appliance so that even an authenticated super-admin cannot invoke the injected OS commands.