CVE-2026-25836

HighRCE

Published: 10 March 2026

Published

10 March 2026

Modified

18 March 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0005 15.6th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25836 is a high-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortisandbox Cloud. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-27 Platform-independent Applications

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

SI-10 Information Input Validation

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

OS command injection (CWE-78) via crafted HTTP requests to network-accessible FortiSandbox service enables remote exploitation of the public-facing application (T1190) and direct arbitrary Unix shell command execution (T1059.004) for a privileged admin.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox Cloud 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code or commands via crafted HTTP…

requests.

Deeper analysisAI

CVE-2026-25836 is an OS command injection vulnerability (CWE-78) in Fortinet FortiSandbox Cloud version 5.0.4, arising from improper neutralization of special elements used in OS commands. Published on 2026-03-10, it has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H), indicating high-impact potential with network accessibility and low attack complexity once privileges are obtained.

The vulnerability can be exploited by a privileged attacker with super-admin profile and CLI access, who can send crafted HTTP requests to execute unauthorized code or commands on the affected system. Successful exploitation grants high confidentiality, integrity, and availability impacts within the target's scope.

Fortinet has issued PSIRT advisory FG-IR-26-096, available at https://fortiguard.fortinet.com/psirt/FG-IR-26-096, which provides further details on the vulnerability and recommended mitigations.

Details

CWE(s): CWE-78

Affected Products

fortinet

fortisandbox cloud

5.0.4

CVEs Like This One

CVE-2025-66178Same vendor: Fortinet

CVE-2024-50569Same vendor: Fortinet

CVE-2024-50566Same vendor: Fortinet

CVE-2026-39808Same vendor: Fortinet

CVE-2025-64155Same vendor: Fortinet

CVE-2024-50567Same vendor: Fortinet

CVE-2024-52961Same vendor: Fortinet

CVE-2025-58034Same vendor: Fortinet

CVE-2024-54018Same vendor: Fortinet

CVE-2024-55590Same vendor: Fortinet

References

https://fortiguard.fortinet.com/psirt/FG-IR-26-096
Vendor Advisory · psirt@fortinet.com