Fortinet FortiSandbox Vulnerability: Attackers Execute
Fortinet has disclosed a critical security vulnerability in its FortiSandbox product line. This flaw could allow unauthenticated remote attackers to execute arbitrary OS commands through the web...
Fortinet has disclosed a critical security vulnerability in its FortiSandbox product line. This flaw could allow unauthenticated remote attackers to execute arbitrary OS commands through the web interface.
The flaw, tracked as CVE-2026-25089 and assigned a CVSSv3 score of 9.1 (Critical), affects multiple versions of FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS deployments.
The vulnerability stems from an improper neutralization of special elements used in an OS command (CWE-78) commonly known as OS command injection present in the FortiSandbox Web UI.
By sending specifically crafted HTTP requests, a remote, unauthenticated attacker can exploit this flaw to execute unauthorized commands on the underlying system.
Because no authentication is required to trigger the vulnerability, the attack complexity is low, and the potential blast radius is significant. Successful exploitation can result in the full compromise of the affected system’s confidentiality, integrity, and availability, which explains its near-maximum CVSS score.
The advisory was discovered and reported internally by Adham El Karn of Fortinet’s Product Security team and published on June 9, 2026, under the internal reference FG-IR-26-141.
Affected Versions and Fixes
The vulnerability impacts the following product versions:
| Product | Affected Versions | Fix |
|---|---|---|
| FortiSandbox | 5.0.0 – 5.0.5 | Upgrade to 5.0.6 or above |
| FortiSandbox | 4.4.0 – 4.4.8 | Upgrade to 4.4.9 or above |
| FortiSandbox Cloud | 5.0.4 – 5.0.5 | Upgrade to 5.0.6 or above |
| FortiSandbox PaaS | 5.0.4 – 5.0.5 | Upgrade to 5.0.6 or above |
FortiSandbox 5.2, FortiSandbox Cloud 4.4, FortiSandbox Cloud 5.2, FortiSandbox PaaS 4.4, FortiSandbox PaaS 5.2, and FortiSandbox PaaS 23.4 are not affected by this vulnerability.
While there are currently no reports of active exploitation in the wild, the unauthenticated nature of this attack vector makes it a high-priority target for threat actors.
FortiSandbox is widely deployed in enterprise environments as a malware analysis and threat detection platform, meaning a successful compromise could undermine an organization’s entire threat detection pipeline, giving attackers a strategic foothold.
Recommended Actions
Security teams are strongly advised to take the following steps immediately:
- Upgrade affected FortiSandbox installations to version 5.0.6 or 4.4.9 or above
- Restrict web UI access to trusted IP ranges as a temporary mitigation
- Monitor logs for anomalous HTTP requests targeting the FortiSandbox web interface
- Review Fortinet’s official advisory at the Fortinet PSIRT portal for further guidance
Organizations still running any affected 4.4.9 or 5.0.6 builds should treat this as an urgent patching priority given the critical severity and zero-authentication requirement.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.