Fortinet FortiSandbox: CVE-2026-25089 and CVE-2026-26083 — Two Critical CVSS 9.8 Vulnerabilities Under Active Exploitation

Fortinet FortiSandbox: CVE-2026-25089 and CVE-2026-26083 — Two Critical CVSS 9.8 Vulnerabilities Under Active Exploitation

CVE: CVE-2026-25089, CVE-2026-26083 | CVSS 3.1: 9.8 (Critical) | Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE: CWE-78 (OS Command Injection), CWE-862 (Missing Authorization) | Vendor: Fortinet | Product: FortiSandbox | Affected versions: 5.0.0–5.0.5, 4.4.0–4.4.8, 4.2 all, FortiSandbox Cloud 5.0.4–5.0.5, FortiSandbox PaaS 23.4–22.2


What Is the Vulnerability

CVE-2026-25089 is an OS command injection vulnerability in Fortinet FortiSandbox that allows an unauthenticated attacker to execute arbitrary commands via specially crafted HTTP requests, achieving complete system compromise (CVSS 9.8). CVE-2026-26083 is a missing authorization vulnerability that also enables an unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests (CVSS 9.8). A third path-traversal vulnerability was also disclosed concurrently. All three have been confirmed under active exploitation by researchers at Defused.


Versions Affected

  • FortiSandbox 5.0.0 through 5.0.5
  • FortiSandbox 4.4.0 through 4.4.8
  • FortiSandbox 4.2 (all versions)
  • FortiSandbox Cloud 5.0.4 through 5.0.5
  • FortiSandbox PaaS 23.4, 23.3, 23.1, 22.2 (all versions)

Exploited?

Yes — actively exploited in the wild. Defused, a firm tracking security vulnerabilities, confirmed all three FortiSandbox vulnerabilities are under active exploitation as of late June/early July 2026. No information on attribution or impacted customers is currently available.


Fix

Fortinet released patches for CVE-2026-25089 on June 9, 2026. Patches for CVE-2026-26083 and the path-traversal vulnerability were also released in subsequent advisories.

  • Primary fix: Update FortiSandbox to patched versions per Fortinet PSIRT advisories. Apply immediately.
  • Workaround: Restrict HTTP access to FortiSandbox management interfaces to authorised IP addresses only.

Recommendations

  • Apply patches immediately: FortiSandbox is internet-connected by design (it receives samples for analysis) and is a high-value target. The June 9 patch is already several weeks old.
  • Audit access logs: Review FortiSandbox logs for signs of unauthorised HTTP requests or command execution.
  • Restrict network access: Limit HTTP access to FortiSandbox to trusted management IPs only.
  • Verify configuration integrity: Check for unauthorised changes to FortiSandbox rules, analysis settings, or user accounts.

References


Part of the Vulnerability Intelligence series on threat-modeling.com. July 5, 2026 Report.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!