Fortinet FortiSandbox Vulnerability Allows Attackers to Execute Unauthorized Commands
Cybersecurity NewsArchived Jun 09, 2026✓ Full text saved
Fortinet has disclosed a critical security vulnerability in its FortiSandbox product line that could allow unauthenticated remote attackers to execute arbitrary OS commands through the web interface. The flaw, tracked as CVE-2026-25089 and assigned a CVSSv3 score of 9.1 (Critical), affects multiple versions of FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS deployments. The vulnerability stems from […] The post Fortinet FortiSandbox Vulnerability Allows Attackers to Execute Unauthorized
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
Fortinet FortiSandbox Vulnerability Allows Attackers to Execute Unauthorized Commands
By Guru Baran
June 9, 2026
Fortinet has disclosed a critical security vulnerability in its FortiSandbox product line that could allow unauthenticated remote attackers to execute arbitrary OS commands through the web interface.
The flaw, tracked as CVE-2026-25089 and assigned a CVSSv3 score of 9.1 (Critical), affects multiple versions of FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS deployments.
The vulnerability stems from an improper neutralization of special elements used in an OS command (CWE-78) commonly known as OS command injection present in the FortiSandbox Web UI.
By sending specifically crafted HTTP requests, a remote, unauthenticated attacker can exploit this flaw to execute unauthorized commands on the underlying system.
Because no authentication is required to trigger the vulnerability, the attack complexity is low, and the potential blast radius is significant. Successful exploitation can result in the full compromise of the affected system’s confidentiality, integrity, and availability, which explains its near-maximum CVSS score.
The advisory was discovered and reported internally by Adham El Karn of Fortinet’s Product Security team and published on June 9, 2026, under the internal reference FG-IR-26-141.
Affected Versions and Fixes
The vulnerability impacts the following product versions:
Product Affected Versions Fix
FortiSandbox 5.0.0 – 5.0.5 Upgrade to 5.0.6 or above
FortiSandbox 4.4.0 – 4.4.8 Upgrade to 4.4.9 or above
FortiSandbox Cloud 5.0.4 – 5.0.5 Upgrade to 5.0.6 or above
FortiSandbox PaaS 5.0.4 – 5.0.5 Upgrade to 5.0.6 or above
FortiSandbox 5.2, FortiSandbox Cloud 4.4, FortiSandbox Cloud 5.2, FortiSandbox PaaS 4.4, FortiSandbox PaaS 5.2, and FortiSandbox PaaS 23.4 are not affected by this vulnerability.
While there are currently no reports of active exploitation in the wild, the unauthenticated nature of this attack vector makes it a high-priority target for threat actors.
FortiSandbox is widely deployed in enterprise environments as a malware analysis and threat detection platform, meaning a successful compromise could undermine an organization’s entire threat detection pipeline, giving attackers a strategic foothold.
Recommended Actions
Security teams are strongly advised to take the following steps immediately:
Upgrade affected FortiSandbox installations to version 5.0.6 or 4.4.9 or above
Restrict web UI access to trusted IP ranges as a temporary mitigation
Monitor logs for anomalous HTTP requests targeting the FortiSandbox web interface
Review Fortinet’s official advisory at the Fortinet PSIRT portal for further guidance
Organizations still running any affected 4.4.9 or 5.0.6 builds should treat this as an urgent patching priority given the critical severity and zero-authentication requirement.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Microsoft 365 Android Apps Account Takeover Vulnerability Impacted Billions of Android Users
Cybercriminals Exploit 2026 FIFA World Cup With Phishing, Fake Stores, and Ticket Scams
Hackers Use YouTube and SEO Poisoning to Spread WeedHack Minecraft Malware
21 0-Day Vulnerabilities in FFmpeg Enables Remote Code Execution Attacks
Threat Actor Uses Stolen Gemini API Keys to Automate Telegram Influence Campaign
Latest News
Cyber Security
Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now
Cyber Security News
New Weedhack Malware-as-a-Service Targets Minecraft Players to Steal Credentials, and Hijack Accounts
Cyber Security News
New NFCShare Android Malware Delivered via Weaponized Versions of Egitimate Banking Apps
Cyber Security
Microsoft Defender Now Monitors RPC Protocol Abuse by Hackers
Cyber Security
Hackers Exploiting LiteLLM RCE Vulnerability in the Wild to Run Arbitrary Commands