CVE-2026-25089: FortiSandbox unauthenticated command injection added to CISA KEV
4 hours ago
- #cybersecurity
- #vulnerability
- #Fortinet
- Fortinet FortiSandbox contains an unauthenticated OS command injection vulnerability (CVE-2026-25089) in its web interface, rated CVSS 9.8, affecting versions 4.2.x, 4.4.0-4.4.8, 5.0.0-5.0.5, Cloud 5.0.4-5.0.5, and PaaS 5.0.4-5.0.5, with exploitation attempts observed since mid-June 2026.
- To find exposed FortiSandbox instances on a network, use methods such as port scanning (ports 443, 80, 22, 514), inspecting HTTP headers and TLS certificates for Fortinet identifiers, DNS queries for common naming patterns, and external data sources like SHODAN.
- Remediation includes patching to FortiSandbox 4.4.9+ or 5.0.6+, restricting management interface access from untrusted networks, auditing integrations with other Fortinet products, and conducting compromise hunting, while also addressing related exploited vulnerabilities CVE-2026-39808 and CVE-2026-39813.