Cyber Resilience

CVE-2026-25836

HighRCEUpdated

Published: 10 March 2026

Published
10 March 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 16.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25836 is a high-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortisandbox Cloud. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-25836 is an OS command injection vulnerability (CWE-78) in Fortinet FortiSandbox Cloud version 5.0.4, arising from improper neutralization of special elements used in OS commands. Published on 2026-03-10, it has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H), indicating high-impact potential with network accessibility and low attack complexity once privileges are obtained.

The vulnerability can be exploited by a privileged attacker with super-admin profile and CLI access, who can send crafted HTTP requests to execute unauthorized code or commands on the affected system. Successful exploitation grants high confidentiality, integrity, and availability impacts within the target's scope.

Fortinet has issued PSIRT advisory FG-IR-26-096, available at https://fortiguard.fortinet.com/psirt/FG-IR-26-096, which provides further details on the vulnerability and recommended mitigations.

EU & UK References

Vulnerability details

An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox Cloud 5.0.4, FortiSandbox PaaS 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code or commands…

more

via crafted HTTP requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection (CWE-78) via crafted HTTP requests to network-accessible FortiSandbox service enables remote exploitation of the public-facing application (T1190) and direct arbitrary Unix shell command execution (T1059.004) for a privileged admin.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-50566Same vendor: Fortinet
CVE-2024-52961Same vendor: Fortinet
CVE-2025-58034Same vendor: Fortinet
CVE-2025-64155Same vendor: Fortinet
CVE-2026-39808Same vendor: Fortinet
CVE-2024-50567Same vendor: Fortinet
CVE-2024-50569Same vendor: Fortinet
CVE-2025-66178Same vendor: Fortinet
CVE-2024-27778Same vendor: Fortinet
CVE-2025-53949Same vendor: Fortinet

Affected Assets

fortinet
fortisandbox cloud
5.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and neutralization of untrusted input in HTTP requests before they are used to construct OS commands, blocking the CWE-78 injection vector.

prevent

Restricts the assignment of super-admin privileges that are required to reach the vulnerable CLI path, reducing the population of accounts that can send the crafted requests.

prevent

Enforces disabling or limiting unnecessary CLI and command-execution capabilities on the FortiSandbox appliance so that even an authenticated super-admin cannot invoke the injected OS commands.

References