What is Fortinet FortiSandbox?
FortiSandbox is Fortinet's malware detonation and analysis appliance, deployed to detect zero-day and evasive threats by executing suspicious files in isolated virtual environments before they reach production systems. It integrates with FortiGate firewalls, FortiMail, and other Fortinet security products as part of the broader Fortinet Security Fabric, giving it privileged network access to ingest samples from across an organization's security stack. Because it sits at a trust boundary — analyzing untrusted, potentially malicious content — compromising FortiSandbox itself is a high-value pivot point into the security infrastructure it's meant to protect.
Overview
CVE-2026-25089 is an OS command injection vulnerability (CWE-78) in the FortiSandbox web UI's "start VNC" feature, allowing an unauthenticated attacker to execute arbitrary commands on the underlying host via a specially crafted HTTP request. Fortinet disclosed and patched it on June 9, 2026, but exploitation attempts began within days — part of a wave of attacks against three separate FortiSandbox vulnerabilities disclosed around the same period (CVE-2026-25089, CVE-2026-39808, and CVE-2026-39813).
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| FortiSandbox 5.0 | 5.0.0 – 5.0.5 | 5.0.6 and later |
| FortiSandbox 4.4 | 4.4.0 – 4.4.8 | 4.4.9 and later |
| FortiSandbox Cloud 5.0 | 5.0.4 – 5.0.5 | 5.0.6 and later |
| FortiSandbox PaaS 5.0 | 5.0.4 – 5.0.5 | 5.0.6 and later |
Technical Details
The flaw is in the FortiSandbox web UI's "start VNC" functionality, which is used to open a remote VNC session for interactive malware analysis. A specially crafted HTTP request reaches a system-level shell command without proper input sanitization, allowing an unauthenticated attacker to inject and execute arbitrary OS commands on the underlying appliance. The attack requires no authentication, no user interaction, and can be executed via a single network request (CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, 9.8 Critical).
Discovery
Fortinet credits its own Product Security team, specifically Adham El Karn, with discovering CVE-2026-25089 internally.
Exploitation Context
Threat intelligence firm Defused confirmed active exploitation attempts against FortiSandbox honeypots the weekend of June 14–16, 2026 — roughly a week after Fortinet's June 9 patch — targeting this vulnerability alongside two other recently disclosed FortiSandbox bugs, CVE-2026-39808 and CVE-2026-39813. Some reporting has loosely associated the wave with the broader "FortiBleed" credential-leak campaign affecting tens of thousands of Fortinet devices, though the exact relationship between that campaign and this specific CVE is not firmly established in public sources.
Remediation
- Upgrade to the fixed version for your product line immediately (see version table above).
- Restrict management interface access: FortiSandbox's web UI should not be exposed to the internet; limit access to trusted management networks only.
- Review logs for exploitation indicators: look for anomalous requests to VNC-related endpoints and unexpected shell command execution on the appliance around and after June 9, 2026.
- Treat any internet-exposed, unpatched instance as compromised given confirmed in-the-wild attacks — rotate credentials and inspect for persistence mechanisms.
- Patch alongside related CVE-2026-39808 and CVE-2026-39813, which were exploited in the same campaign against FortiSandbox deployments.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-25089 |
| Vendor / Product | Fortinet — FortiSandbox |
| NVD Published | 2026-06-09 |
| NVD Last Modified | 2026-07-16 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-78 find similar ↗ |
| CISA KEV Added | 2026-07-16 |
| CISA KEV Deadline | 2026-07-19 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-06-09 | CVE-2026-25089 disclosed and patched by Fortinet PSIRT (advisory FG-IR-26-141) |
| 2026-06-14 | Active exploitation attempts observed against honeypots, alongside CVE-2026-39808 and CVE-2026-39813 |
| 2026-07-16 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-07-19 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Fortinet PSIRT Advisory FG-IR-26-141 | Vendor Advisory |
| NVD — CVE-2026-25089 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Help Net Security — FortiSandbox Vulnerabilities Exploited | News |
| 3 Recently Patched Fortinet FortiSandbox Vulnerabilities in Hacker Crosshairs | News |