6 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-25089 is a critical second-order OS command injection vulnerability affecting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS.
The vulnerability is caused by insufficient sanitization of user-controlled data within JSON input processing. Malicious input can be stored by the application and later executed during subsequent operations.
A successful exploit may allow a remote attacker to execute unauthorized operating system commands on vulnerable appliances, potentially leading to compromise of sandbox infrastructure and administrative systems.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Second-Order OS Command Injection via JSON Input
Identifier: CVE-2026-25089
PoC or Exploitation: As of Fortinet's advisory and public reporting, there are no confirmed reports of active exploitation in the wild and no validated public proof-of-concept exploit code.
CVSS Score: 9.1 (Critical, CVSS v3.1)
Update / Patch:
Fortinet has released updates addressing this vulnerability.
Affected versions include:
- FortiSandbox 5.0.0 through 5.0.5
- FortiSandbox 4.4.0 through 4.4.8
- FortiSandbox Cloud 5.0.4 through 5.0.5
- FortiSandbox PaaS 5.0.4 through 5.0.5
Fixed versions include:
- FortiSandbox 5.0:
Upgrade to 5.0.6 or later - FortiSandbox 4.4:
Upgrade to 4.4.9 or later - FortiSandbox Cloud 5.0:
Upgrade to 5.0.6 or later - FortiSandbox PaaS 5.0:
Upgrade to 5.0.6 or later
Not affected:
- FortiSandbox 5.2
- FortiSandbox Cloud 5.2
- FortiSandbox Cloud 4.4
- FortiSandbox PaaS 23.4
- FortiSandbox PaaS 5.2
- FortiSandbox PaaS 4.4
Fortinet advisory and remediation guidance:
Description:
CVE-2026-25089 is a second-order OS command injection vulnerability affecting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS.
The flaw arises from insufficient sanitization of user-controlled data within JSON input processing, allowing malicious input to be stored and subsequently executed by the system during later operations.
A successful exploit could allow a remote attacker to execute unauthorized operating system commands on vulnerable appliances.
Mitigation Recommendation:
Prioritize remediation of internet-accessible or externally managed FortiSandbox environments.
Review administrative activity and system logs for unexpected command execution, configuration changes, or anomalous application behavior.
Implement network segmentation and restrict management access to trusted administrative networks.
Monitor security telemetry for suspicious activity originating from FortiSandbox systems.
