Fortinet patched a critical FortiSandbox vulnerability that could let unauthenticated attackers remotely execute commands via crafted HTTP requests.
Fortinet released security updates to address several vulnerabilities affecting FortiSandbox, FortiOS, FortiProxy, and FortiPortal. The most severe issue, tracked as CVE-2026-25089 (CVSS score of 9.8), is an OS command injection flaw in FortiSandbox products.
The vulnerability could allow remote, unauthenticated attackers to send specially crafted HTTP requests and execute arbitrary commands on affected devices.
“An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests.” reads the advisory.
Adham El Karn of Fortinet Product Security team discovered the vulnerability.
The vulnerability impacts the following products and versions:
- FortiSandbox 5.0.0 through 5.0.5 (Upgrade to 5.0.6 or above)
- FortiSandbox 4.4.0 through 4.4.8 (Upgrade to 4.4.9 or above)
- FortiSandbox Cloud 5.0.4 through 5.0.5 (Upgrade to 5.0.6 or above)
- FortiSandbox PaaS 5.0.4 through 5.0.5 (Upgrade to 5.0.6 or above)
The company also patched two medium-severity vulnerabilities affecting FortiOS, FortiProxy, and the FortiPortal API. The flaws could allow authenticated users to execute scripts or access sensitive network configuration information. At the time of disclosure, the vendor said it was not aware of any in-the-wild exploitation targeting these vulnerabilities and urged customers to apply the available security updates.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
