CVE-2026-25089
CriticalCVSS 9.8Exploitation Probability (EPSS)
High risk76th percentile — higher than 76% of all known CVEs
Summary
Fortinet FortiSandbox has a vulnerability due to improper neutralization of special elements in OS commands, allowing unauthenticated attackers to execute unauthorized commands via specially crafted HTTP requests.
Risk Assessment
This vulnerability may lead to unauthorized access and execution of malicious code, posing a serious threat to the organization's security.
Recommendation
It is recommended to update FortiSandbox to the latest version to mitigate this vulnerability and to monitor logs for potential attack attempts.
Original NVD description (English source)
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests

