Fortinet FortiSandbox unauthenticated OS command injection (4.2, 4.4, 5.0, Cloud, PaaS)
An unauthenticated OS command injection across FortiSandbox 4.2, 4.4, 5.0, plus FortiSandbox Cloud and PaaS 5.0 lets a network attacker run arbitrary commands via crafted HTTP requests. CVSS 9.8; CISA-listed KEV.
- Vendor
- Fortinet
- Product
- FortiSandbox, FortiSandbox Cloud, FortiSandbox PaaS (multiple 4.x and 5.0 lines — see body)
- CVSS
- 9.8
- EPSS (exploit probability)
- N/A
- Status
- kev
- Published
CVE-2026-25089 is an unauthenticated OS command injection (CWE-78) in Fortinet’s FortiSandbox appliance family. Per NVD, the flaw allows an unauthenticated attacker to “execute unauthorized commands via specifically crafted HTTP requests.” CVSS 9.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — network-reachable, no authentication, no user interaction.
Affected builds
Per NVD’s affected-product enumeration:
- FortiSandbox 4.2.0 through 4.2.8
- FortiSandbox 4.4.0 through 4.4.8
- FortiSandbox 5.0.0 through 5.0.5
- FortiSandbox Cloud 5.0.4 through 5.0.5
- FortiSandbox PaaS 5.0.4 through 5.0.5
The footprint is wider than CVE-2026-39808, the companion CVE Fortinet disclosed alongside this one on the same day — that one is scoped to 4.4 and a set of PaaS builds, this one covers the full on-prem 4.2/4.4/5.0 install base plus Cloud and PaaS 5.0. If you run FortiSandbox 4.4, both CVEs apply and both are closed by the same fixed 4.4 build. If you run 4.2 or 5.0, only this CVE applies but the upgrade is still non-optional.
Confirm the exact fixed build against FG-IR-26-141 directly — the fixed-build tables between the two Fortinet PSIRT advisories are not identical.
Status
CISA added CVE-2026-25089 to the Known Exploited Vulnerabilities catalog on 2026-07-16, with a federal remediation deadline of 2026-07-19 under BOD 26-04. Known ransomware-campaign use is currently listed as unknown on the KEV entry.
What to do
Upgrade every affected FortiSandbox appliance, FortiSandbox Cloud tenant, and FortiSandbox PaaS deployment to the fixed build per FG-IR-26-141. Until the upgrade lands, restrict the management interface to the specific FortiManager, FortiAnalyzer, and administrative source IPs that actually need it — the vector is HTTP against the appliance itself, so anything reachable from an untrusted segment is one request away from RCE. See the article writeup for the operational sequence and the pairing with CVE-2026-39808.
