CVE-2026-25089 — Fortinet FortiSandbox OS Command Injection Vulnerability

CVE-2026-25089

Fortinet FortiSandbox — Unauthenticated Command Injection via Start VNC Feature

What is Fortinet FortiSandbox?

FortiSandbox is Fortinet's malware detonation and analysis appliance, deployed to detect zero-day and evasive threats by executing suspicious files in isolated virtual environments before they reach production systems. It integrates with FortiGate firewalls, FortiMail, and other Fortinet security products as part of the broader Fortinet Security Fabric, giving it privileged network access to ingest samples from across an organization's security stack. Because it sits at a trust boundary — analyzing untrusted, potentially malicious content — compromising FortiSandbox itself is a high-value pivot point into the security infrastructure it's meant to protect.

Overview

CVE-2026-25089 is an OS command injection vulnerability (CWE-78) in the FortiSandbox web UI's "start VNC" feature, allowing an unauthenticated attacker to execute arbitrary commands on the underlying host via a specially crafted HTTP request. Fortinet disclosed and patched it on June 9, 2026, but exploitation attempts began within days — part of a wave of attacks against three separate FortiSandbox vulnerabilities disclosed around the same period (CVE-2026-25089, CVE-2026-39808, and CVE-2026-39813).

Affected Versions

Product Vulnerable Fixed
FortiSandbox 5.0 5.0.0 – 5.0.5 5.0.6 and later
FortiSandbox 4.4 4.4.0 – 4.4.8 4.4.9 and later
FortiSandbox Cloud 5.0 5.0.4 – 5.0.5 5.0.6 and later
FortiSandbox PaaS 5.0 5.0.4 – 5.0.5 5.0.6 and later

Technical Details

The flaw is in the FortiSandbox web UI's "start VNC" functionality, which is used to open a remote VNC session for interactive malware analysis. A specially crafted HTTP request reaches a system-level shell command without proper input sanitization, allowing an unauthenticated attacker to inject and execute arbitrary OS commands on the underlying appliance. The attack requires no authentication, no user interaction, and can be executed via a single network request (CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, 9.8 Critical).

Discovery

Fortinet credits its own Product Security team, specifically Adham El Karn, with discovering CVE-2026-25089 internally.

Exploitation Context

Threat intelligence firm Defused confirmed active exploitation attempts against FortiSandbox honeypots the weekend of June 14–16, 2026 — roughly a week after Fortinet's June 9 patch — targeting this vulnerability alongside two other recently disclosed FortiSandbox bugs, CVE-2026-39808 and CVE-2026-39813. Some reporting has loosely associated the wave with the broader "FortiBleed" credential-leak campaign affecting tens of thousands of Fortinet devices, though the exact relationship between that campaign and this specific CVE is not firmly established in public sources.

Remediation

  1. Upgrade to the fixed version for your product line immediately (see version table above).
  2. Restrict management interface access: FortiSandbox's web UI should not be exposed to the internet; limit access to trusted management networks only.
  3. Review logs for exploitation indicators: look for anomalous requests to VNC-related endpoints and unexpected shell command execution on the appliance around and after June 9, 2026.
  4. Treat any internet-exposed, unpatched instance as compromised given confirmed in-the-wild attacks — rotate credentials and inspect for persistence mechanisms.
  5. Patch alongside related CVE-2026-39808 and CVE-2026-39813, which were exploited in the same campaign against FortiSandbox deployments.

Key Details

PropertyValue
CVE ID CVE-2026-25089
Vendor / Product Fortinet — FortiSandbox
NVD Published2026-06-09
NVD Last Modified2026-07-16
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-78 find similar ↗
CISA KEV Added2026-07-16
CISA KEV Deadline2026-07-19
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-07-19. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Timeline

DateEvent
2026-06-09CVE-2026-25089 disclosed and patched by Fortinet PSIRT (advisory FG-IR-26-141)
2026-06-14Active exploitation attempts observed against honeypots, alongside CVE-2026-39808 and CVE-2026-39813
2026-07-16Added to CISA Known Exploited Vulnerabilities catalog
2026-07-19CISA BOD 22-01 remediation deadline