Fortinet FortiSandbox Vulnerability Allows Attackers to Execute Unauthorized Commands

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Fortinet has disclosed a critical security vulnerability in its FortiSandbox product line that could allow unauthenticated remote attackers to execute arbitrary OS commands through the web interface.

The flaw, tracked as CVE-2026-25089 and assigned a CVSSv3 score of 9.1 (Critical), affects multiple versions of FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS deployments.

The vulnerability stems from an improper neutralization of special elements used in an OS command (CWE-78) commonly known as OS command injection present in the FortiSandbox Web UI.

By sending specifically crafted HTTP requests, a remote, unauthenticated attacker can exploit this flaw to execute unauthorized commands on the underlying system.

Because no authentication is required to trigger the vulnerability, the attack complexity is low, and the potential blast radius is significant. Successful exploitation can result in the full compromise of the affected system’s confidentiality, integrity, and availability, which explains its near-maximum CVSS score.

The advisory was discovered and reported internally by Adham El Karn of Fortinet’s Product Security team and published on June 9, 2026, under the internal reference FG-IR-26-141.

Affected Versions and Fixes

The vulnerability impacts the following product versions:

Product Affected Versions Fix
FortiSandbox 5.0.0 – 5.0.5 Upgrade to 5.0.6 or above
FortiSandbox 4.4.0 – 4.4.8 Upgrade to 4.4.9 or above
FortiSandbox Cloud 5.0.4 – 5.0.5 Upgrade to 5.0.6 or above
FortiSandbox PaaS 5.0.4 – 5.0.5 Upgrade to 5.0.6 or above

FortiSandbox 5.2, FortiSandbox Cloud 4.4, FortiSandbox Cloud 5.2, FortiSandbox PaaS 4.4, FortiSandbox PaaS 5.2, and FortiSandbox PaaS 23.4 are not affected by this vulnerability.

While there are currently no reports of active exploitation in the wild, the unauthenticated nature of this attack vector makes it a high-priority target for threat actors.

FortiSandbox is widely deployed in enterprise environments as a malware analysis and threat detection platform, meaning a successful compromise could undermine an organization’s entire threat detection pipeline, giving attackers a strategic foothold.

Security teams are strongly advised to take the following steps immediately:

  • Upgrade affected FortiSandbox installations to version 5.0.6 or 4.4.9 or above
  • Restrict web UI access to trusted IP ranges as a temporary mitigation
  • Monitor logs for anomalous HTTP requests targeting the FortiSandbox web interface
  • Review Fortinet’s official advisory at the Fortinet PSIRT portal for further guidance

Organizations still running any affected 4.4.9 or 5.0.6 builds should treat this as an urgent patching priority given the critical severity and zero-authentication requirement.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

The post Fortinet FortiSandbox Vulnerability Allows Attackers to Execute Unauthorized Commands appeared first on Cyber Security News.