CVE: CVE-2026-25089, CVE-2026-26083 | CVSS 3.1: 9.8 (Critical) | Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE: CWE-78 (OS Command Injection), CWE-862 (Missing Authorization) | Vendor: Fortinet | Product: FortiSandbox | Affected versions: 5.0.0–5.0.5, 4.4.0–4.4.8, 4.2 all, FortiSandbox Cloud 5.0.4–5.0.5, FortiSandbox PaaS 23.4–22.2
What Is the Vulnerability
CVE-2026-25089 is an OS command injection vulnerability in Fortinet FortiSandbox that allows an unauthenticated attacker to execute arbitrary commands via specially crafted HTTP requests, achieving complete system compromise (CVSS 9.8). CVE-2026-26083 is a missing authorization vulnerability that also enables an unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests (CVSS 9.8). A third path-traversal vulnerability was also disclosed concurrently. All three have been confirmed under active exploitation by researchers at Defused.
Versions Affected
- FortiSandbox 5.0.0 through 5.0.5
- FortiSandbox 4.4.0 through 4.4.8
- FortiSandbox 4.2 (all versions)
- FortiSandbox Cloud 5.0.4 through 5.0.5
- FortiSandbox PaaS 23.4, 23.3, 23.1, 22.2 (all versions)
Exploited?
Yes — actively exploited in the wild. Defused, a firm tracking security vulnerabilities, confirmed all three FortiSandbox vulnerabilities are under active exploitation as of late June/early July 2026. No information on attribution or impacted customers is currently available.
Fix
Fortinet released patches for CVE-2026-25089 on June 9, 2026. Patches for CVE-2026-26083 and the path-traversal vulnerability were also released in subsequent advisories.
- Primary fix: Update FortiSandbox to patched versions per Fortinet PSIRT advisories. Apply immediately.
- Workaround: Restrict HTTP access to FortiSandbox management interfaces to authorised IP addresses only.
Recommendations
- Apply patches immediately: FortiSandbox is internet-connected by design (it receives samples for analysis) and is a high-value target. The June 9 patch is already several weeks old.
- Audit access logs: Review FortiSandbox logs for signs of unauthorised HTTP requests or command execution.
- Restrict network access: Limit HTTP access to FortiSandbox to trusted management IPs only.
- Verify configuration integrity: Check for unauthorised changes to FortiSandbox rules, analysis settings, or user accounts.
References
- Cybersecurity Dive: Critical FortiSandbox vulnerabilities under exploitation
- NVD Entry for CVE-2026-25089
- NVD Entry for CVE-2026-26083
- Fortinet PSIRT Advisory (FortiSandbox)
Part of the Vulnerability Intelligence series on threat-modeling.com. July 5, 2026 Report.
