Critical FortiSandbox Flaw: Unauthenticated Command Injection Added to CISA KEV

CVE-2026-25089: FortiSandbox unauthenticated command injection added to CISA KEV

7slvnx💬 0
Critical FortiSandbox Flaw: Unauthenticated Command Injection Added to CISA KEV

I uncovered a critical unauthenticated command injection in FortiSandbox, now listed on the CISA Known Exploited Vulnerabilities catalog with a CVSS score of 9.8. This is the third such flaw exploited in the wild against Fortinet's sandbox in just two months, allowing attackers to execute shell commands via the web interface without any login. Organizations must immediately patch to version 4.4.9 or 5.0.6 and isolate management interfaces to prevent full network compromise.

"FortiSandbox is a high-value target because integrated Fortinet products consume its threat verdicts to enforce blocking decisions and trigger automated responses."

More from this day · 2026-07-16