How severe is CVE-2026-25089?

CVE-2026-25089 is rated critical severity with a CVSS score of 9.8 out of 10.

Is there a public proof-of-concept (PoC) for CVE-2026-25089?

Yes. Public exploit material exists via 1 GitHub PoC repository. See the references section for direct links. Treat all linked code as untrusted and use only in authorized, isolated lab environments.

What products are affected by CVE-2026-25089?

CVE-2026-25089 affects multiple products. Check vendor advisories for specific affected versions.

How do I fix CVE-2026-25089?

Apply the latest security patches from the vendor. If patching is not immediately possible, review the mitigation steps in this advisory and monitor for exploitation attempts.

FortiSandbox unauth RCE (CVE-2026-25089) [PoC]

Patch now - CVE-2026-25089 is a critical OS command injection vulnerability in Fortinet FortiSandbox versions 5.0.0 through 5.0.5, 4.4.0 through 4.4.8, and 4.2 all versions that allows an unauthenticated attacker to execute arbitrary commands via crafted HTTP requests. Vendor patches are available; upgrade immediately.

Overview

CVE-2026-25089 is an improper neutralization of special elements used in an OS command vulnerability (OS command injection) affecting Fortinet FortiSandbox on-premises, FortiSandbox Cloud, and FortiSandbox PaaS. The flaw resides in how the product handles HTTP requests, allowing an attacker with network access to inject system-level commands without any authentication.

Impact

A successful exploit enables an unauthenticated remote attacker to execute arbitrary OS commands on the affected FortiSandbox appliance. This can lead to full system compromise, data exfiltration, lateral movement within the network, and potential disruption of sandboxing services. The vulnerability carries a CVSS score of 9.8 (Critical) due to its low attack complexity, no required privileges, and no user interaction.

Affected Versions

FortiSandbox: 5.0.0 through 5.0.5
FortiSandbox: 4.4.0 through 4.4.8
FortiSandbox: 4.2 all versions
FortiSandbox Cloud: 5.0.4 through 5.0.5
FortiSandbox PaaS: 5.0.4 through 5.0.5

Remediation and Mitigation

Fortinet has released fixed versions to address CVE-2026-25089. Organizations should take the following actions:

Upgrade immediately: Update FortiSandbox to the latest patched version as specified in the Fortinet security advisory.
Restrict network access: If immediate patching is not possible, limit access to the FortiSandbox management interface to trusted IP addresses only.
Monitor for suspicious activity: Review logs for unexpected HTTP requests or unusual system command execution.

The exploitation of Fortinet products remains a common vector for threat actors. Recent campaigns have demonstrated adversaries targeting Fortinet appliances for initial access and credential theft. For broader context on current threats, see the Weekly Threat Roundup: Nx Console Supply Chain Attack (May 25-31), reports of Threat Actors Exploit Critical FortiClient EMS Flaw to, and the CyberStrikeAI tool adopted by hackers for AI-powered attacks.

Security Insight

This vulnerability falls into a pattern of critical OS command injection flaws in security appliances. Fortinet has had multiple similar issues in recent years, which suggests a systemic need to shift from manual input validation to parameterized APIs and allowlisting of system commands. Organizations running FortiSandbox in air-gapped or sensitive environments should treat this as a priority patch, as the lack of authentication requirements means internet-exposed instances are trivially exploitable.

FortiSandbox unauth RCE (CVE-2026-25089) [PoC]

Overview

Impact

Affected Versions

Remediation and Mitigation

Security Insight

Further Reading

Never miss a critical vulnerability

Public PoC References

Related Advisories

Overview

Impact

Affected Versions

Remediation and Mitigation

Related Threats

Security Insight

Further Reading

Never miss a critical vulnerability

Public PoC References

Related Advisories

Never Miss a Critical Alert