vulnerability context

CVE-2026-25089

CVSS 9.8 CRITICALEPSS 97%CWE-78OTX 8 pulses

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests

Published 2026-06-09 · last modified 2026-06-17

details

CISA KEV status: Not in catalog
CVSS v3: 9.8 / CRITICAL
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 97% percentile (score 0.2339)
CWE: CWE-78
OTX pulses: 8 total, 0 recent

View on NVD → · cve.org

source mentions 2

Attackers Exploit Three Fortinet FortiSandbox Flaws, One Patched Last WeekThe Hacker News · 7d ago
Ivanti, Fortinet, and SAP Release Patches for Multiple Critical VulnerabilitiesThe Hacker News · 13d ago

source consensus

The Hacker News2×

Want the 3-bullet summary of CVE-2026-25089, plus webhook alerts when KEV is updated? Pro is $10/mo.

Open in reader See Pro →