CVE-2026-25089: Fortinet FortiSandbox Unauthenticated OS Command Injection — Find Exposed Instances — RECON Blog
Professional network intelligence for the field. 18 instrument modules — ping, traceroute, DNS, port scan, WHOIS, TLS, LAN sweep, throughput — in one tactical iOS workspace.
Designed for security/IR teams, military NetOps, network engineers and sysadmins.
JULY 16, 2026CVSS 9.8 · CRITICAL · ACTIVELY EXPLOITED5 MIN READ<br>CVE-2026-25089: Fortinet FortiSandbox Unauthenticated OS Command Injection — How to Find Exposed Instances on Your Network<br>Fortinet FortiSandbox contains an unauthenticated OS command injection vulnerability in its web interface. Fortinet's CNA record assigns CVSS 9.8, while its PSIRT advisory lists 9.1; NVD has not issued an independent score. Defused reported exploitation attempts in mid-June, and CISA added CVE-2026-25089 to KEV on July 16 with a July 19 deadline for applicable FCEB systems. This is the third FortiSandbox vulnerability exploited in the wild within two months.<br>The Vulnerability<br>CVE-2026-25089 (CWE-78: Improper Neutralization of Special Elements used in an OS Command) is an OS command injection in FortiSandbox's web UI. The flaw is reported to affect the "start VNC" feature — an attacker can inject shell metacharacters via JSON payloads in HTTP requests to this endpoint. No authentication is required, no user interaction is needed, and attack complexity is low.<br>CVSS: 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) — Fortinet CNA record; Fortinet PSIRT advisory lists 9.1; NVD has not published an independent assessment<br>CWE: CWE-78 (OS Command Injection)<br>AFFECTED: FortiSandbox 4.2.x (all versions), 4.4.0–4.4.8, 5.0.0–5.0.5; FortiSandbox Cloud 5.0.4–5.0.5; FortiSandbox PaaS 5.0.4–5.0.5<br>FIXED: FortiSandbox 4.4.9+, 5.0.6+; Cloud/PaaS 5.0.6+; the CNA record lists 4.2 as affected but Fortinet's advisory does not provide a 4.2 remediation — contact Fortinet for migration guidance<br>EXPLOITED: Active exploitation confirmed since mid-June 2026 — CISA KEV listed July 16, 2026 · BOD 26-04 deadline July 19, 2026 (FCEB agencies)<br>ADVISORY: Fortinet PSIRT FG-IR-26-141
Related FortiSandbox Exploitation Activity<br>CVE-2026-25089 is the third FortiSandbox vulnerability exploited in the wild in 2026. Two related flaws were patched in April and saw active exploitation by mid-June:<br>• CVE-2026-39808 — OS command injection (CNA CVSS 9.8; PSIRT 9.1), unauthenticated RCE. Exploitation observed June 12 by KEVIntel.<br>• CVE-2026-39813 — Path traversal leading to authentication bypass (CNA CVSS 9.8; PSIRT 9.1). Exploitation observed June 15 by Defused.<br>Threat intelligence firm Defused detected exploitation attempts against all three CVEs on honeypots. FortiSandbox is a high-value target because integrated Fortinet products — FortiGate, FortiMail, FortiWeb, FortiProxy — consume its threat verdicts to enforce blocking decisions and trigger automated responses. Because these products depend on FortiSandbox results, responders should review connected workflows for unexpected verdicts, signatures, or configuration changes.<br>Investigation Workflow<br>FortiSandbox appliances are typically deployed on internal networks behind firewalls, but their web management interface is often accessible from management VLANs or, in some deployments, from the internet. Identifying exposed instances is the first step.<br>1. Port Scan: Find FortiSandbox Appliances<br>FortiSandbox uses standard ports for its web UI and services. The management web interface — where CVE-2026-25089 resides — is the primary target:<br>• 443 — HTTPS web UI (management interface — where the vulnerability resides)<br>• 80 — HTTP web UI (if HTTPS redirect is not enforced)<br>• 22 — SSH administration<br>• 514 — OFTP (file/URL/traffic submissions from other Fortinet products)<br>2. HTTP Headers: Identify FortiSandbox Interfaces<br>FortiSandbox appliances return identifiable HTTP responses on their management interface:<br>• HTML title containing FortiSandbox<br>• HTTP headers referencing Fortinet or FortiSandbox<br>• Login page with Fortinet branding and FortiSandbox product name<br>• Server header may identify the Fortinet web server<br>3. TLS Inspect: Examine Certificates<br>Pull the TLS certificate on port 443. Look for:<br>• Subject CN or SAN containing FortiSandbox or fortisandbox<br>• Default self-signed certificates from Fortinet (common on initial deployments)<br>• Organization field referencing Fortinet<br>4. DNS: Discover FortiSandbox Infrastructure<br>Query DNS for common FortiSandbox naming patterns: sandbox.*, fortisandbox.*, fsb.*, fsa.*. FortiSandbox appliances are often given descriptive hostnames in internal DNS.<br>5. CVE Lookup: Track All Three Vulnerabilities<br>Look up CVE-2026-25089, CVE-2026-39808, and CVE-2026-39813. All three target FortiSandbox and have been exploited in the wild. Check applicability for all three. FortiSandbox 4.4.9+ addresses all three vulnerabilities on the 4.4 branch; 5.0.6+ addresses the applicable vulnerabilities on 5.0. CVE-2026-39808 does not affect...