CVE Details

CVE-2026-25089 Fortinet FortiSandbox OS Command Injection Vulnerability
Published: 2026-07-16 CVSS: 9.1 CRITICAL Product: Fortinet FortiSandbox Due Date: 2026-07-19

Fortinet FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS contain an OS command injection vulnerability that allows an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests.

GitHub PoC

Warning: GitHub PoC repositories are unverified. Some may be fake or contain malware. Use caution and review code before running anything.

FIRST EPSS

EPSS estimates the probability of exploitation in the next 30 days. Higher values indicate higher likelihood of real-world exploitation.

Timeline

CVE Stalker KEV MITRE GitHub FIRST (EPSS)

MITRE

CVSS

  • Score: 9.1
  • Severity: CRITICAL
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

SSVC

  • Exploitation: none
  • Automatable: yes
  • Technical Impact: total

References

Show Raw Data
Key Remaining Key Value
dataType CVE_RECORD
dataVersion 5.2
cveMetadata > cveId CVE-2026-25089
cveMetadata > assignerOrgId 6abe59d8-c742-4dff-8ce8-9b0ca1073da8
cveMetadata > state PUBLISHED
cveMetadata > assignerShortName fortinet
cveMetadata > dateReserved 2026-01-29T09:27:29.820Z
cveMetadata > datePublished 2026-06-09T14:27:47.492Z
cveMetadata > dateUpdated 2026-06-10T13:35:01.375Z
containers > cna > affected > 0 > vendor Fortinet
containers > cna > affected > 0 > product FortiSandbox
containers > cna > affected > 0 > cpes > 0 cpe:2.3:a:fortinet:fortisandbox:5.0.5:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 1 cpe:2.3:a:fortinet:fortisandbox:5.0.4:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 2 cpe:2.3:a:fortinet:fortisandbox:5.0.3:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 3 cpe:2.3:a:fortinet:fortisandbox:5.0.2:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 4 cpe:2.3:a:fortinet:fortisandbox:5.0.1:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 5 cpe:2.3:a:fortinet:fortisandbox:5.0.0:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 6 cpe:2.3:a:fortinet:fortisandbox:4.4.8:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 7 cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 8 cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 9 cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 10 cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 11 cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 12 cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 13 cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 14 cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 15 cpe:2.3:a:fortinet:fortisandbox:4.2.8:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 16 cpe:2.3:a:fortinet:fortisandbox:4.2.7:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 17 cpe:2.3:a:fortinet:fortisandbox:4.2.6:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 18 cpe:2.3:a:fortinet:fortisandbox:4.2.5:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 19 cpe:2.3:a:fortinet:fortisandbox:4.2.4:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 20 cpe:2.3:a:fortinet:fortisandbox:4.2.3:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 21 cpe:2.3:a:fortinet:fortisandbox:4.2.2:*:*:*:*:*:*:*
containers > cna > affected > 0 > cpes > 22 cpe:2.3:a:fortinet:fortisandbox:4.2.1:*:*:*:*:*:*:*
containers > cna > affected > 0 > defaultStatus unaffected
containers > cna > affected > 0 > versions > 0 > versionType semver
containers > cna > affected > 0 > versions > 0 > version 5.0.0
containers > cna > affected > 0 > versions > 0 > lessThanOrEqual 5.0.5
containers > cna > affected > 0 > versions > 0 > status affected
containers > cna > affected > 0 > versions > 1 > versionType semver
containers > cna > affected > 0 > versions > 1 > version 4.4.0
containers > cna > affected > 0 > versions > 1 > lessThanOrEqual 4.4.8
containers > cna > affected > 0 > versions > 1 > status affected
containers > cna > affected > 0 > versions > 2 > versionType semver
containers > cna > affected > 0 > versions > 2 > version 4.2.1
containers > cna > affected > 0 > versions > 2 > lessThanOrEqual 4.2.8
containers > cna > affected > 0 > versions > 2 > status affected
containers > cna > affected > 1 > vendor Fortinet
containers > cna > affected > 1 > product FortiSandbox Cloud
containers > cna > affected > 1 > cpes > 0 cpe:2.3:a:fortinet:fortisandboxcloud:5.0.5:*:*:*:*:*:*:*
containers > cna > affected > 1 > cpes > 1 cpe:2.3:a:fortinet:fortisandboxcloud:5.0.4:*:*:*:*:*:*:*
containers > cna > affected > 1 > defaultStatus unaffected
containers > cna > affected > 1 > versions > 0 > versionType semver
containers > cna > affected > 1 > versions > 0 > version 5.0.4
containers > cna > affected > 1 > versions > 0 > lessThanOrEqual 5.0.5
containers > cna > affected > 1 > versions > 0 > status affected
containers > cna > affected > 2 > vendor Fortinet
containers > cna > affected > 2 > product FortiSandbox PaaS
containers > cna > affected > 2 > cpes > 0 cpe:2.3:a:fortinet:fortisandboxpaas:5.0.5:*:*:*:*:*:*:*
containers > cna > affected > 2 > cpes > 1 cpe:2.3:a:fortinet:fortisandboxpaas:5.0.4:*:*:*:*:*:*:*
containers > cna > affected > 2 > defaultStatus unaffected
containers > cna > affected > 2 > versions > 0 > versionType semver
containers > cna > affected > 2 > versions > 0 > version 5.0.4
containers > cna > affected > 2 > versions > 0 > lessThanOrEqual 5.0.5
containers > cna > affected > 2 > versions > 0 > status affected
containers > cna > descriptions > 0 > lang en
containers > cna > descriptions > 0 > value A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests
containers > cna > providerMetadata > orgId 6abe59d8-c742-4dff-8ce8-9b0ca1073da8
containers > cna > providerMetadata > shortName fortinet
containers > cna > providerMetadata > dateUpdated 2026-06-09T14:27:47.492Z
containers > cna > problemTypes > 0 > descriptions > 0 > lang en
containers > cna > problemTypes > 0 > descriptions > 0 > cweId CWE-78
containers > cna > problemTypes > 0 > descriptions > 0 > description Execute unauthorized code or commands
containers > cna > problemTypes > 0 > descriptions > 0 > type CWE
containers > cna > metrics > 0 > format CVSS
containers > cna > metrics > 0 > cvssV3_1 > version 3.1
containers > cna > metrics > 0 > cvssV3_1 > attackComplexity LOW
containers > cna > metrics > 0 > cvssV3_1 > attackVector NETWORK
containers > cna > metrics > 0 > cvssV3_1 > availabilityImpact HIGH
containers > cna > metrics > 0 > cvssV3_1 > baseScore 9.1
containers > cna > metrics > 0 > cvssV3_1 > baseSeverity CRITICAL
containers > cna > metrics > 0 > cvssV3_1 > confidentialityImpact HIGH
containers > cna > metrics > 0 > cvssV3_1 > integrityImpact HIGH
containers > cna > metrics > 0 > cvssV3_1 > privilegesRequired NONE
containers > cna > metrics > 0 > cvssV3_1 > scope UNCHANGED
containers > cna > metrics > 0 > cvssV3_1 > userInteraction NONE
containers > cna > metrics > 0 > cvssV3_1 > vectorString CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
containers > cna > solutions > 0 > lang en
containers > cna > solutions > 0 > value Upgrade to upcoming FortiSandbox version 5.2.0 or above Upgrade to FortiSandbox version 5.0.6 or above Upgrade to FortiSandbox version 4.4.9 or above Upgrade to upcoming FortiSandbox PaaS version 5.2.0 or above Upgrade to FortiSandbox PaaS version 5.0.6 or above Fortinet remediated this issue in FortiSandbox Cloud version 5.2.0 (not released) and hence customers do not need to perform any action. Fortinet remediated this issue in FortiSandbox Cloud version 5.0.6 (not released) and hence customers do not need to perform any action.
containers > cna > references > 0 > name https://fortiguard.fortinet.com/psirt/FG-IR-26-141
containers > cna > references > 0 > url https://fortiguard.fortinet.com/psirt/FG-IR-26-141
containers > adp > 0 > metrics > 0 > other > type ssvc
containers > adp > 0 > metrics > 0 > other > content > timestamp 2026-06-10T03:58:38.447554Z
containers > adp > 0 > metrics > 0 > other > content > id CVE-2026-25089
containers > adp > 0 > metrics > 0 > other > content > options > 0 > Exploitation none
containers > adp > 0 > metrics > 0 > other > content > options > 1 > Automatable yes
containers > adp > 0 > metrics > 0 > other > content > options > 2 > Technical Impact total
containers > adp > 0 > metrics > 0 > other > content > role CISA Coordinator
containers > adp > 0 > metrics > 0 > other > content > version 2.0.3
containers > adp > 0 > title CISA ADP Vulnrichment
containers > adp > 0 > providerMetadata > orgId 134c704f-9b21-4f2e-91b3-4a467353bcc0
containers > adp > 0 > providerMetadata > shortName CISA-ADP
containers > adp > 0 > providerMetadata > dateUpdated 2026-06-10T13:35:01.375Z