// #fortisandbox
2 articles
Fortinet FortiSandbox CVE-2026-25089 (CVSS 9.8): Unauthenticated Command Injection in Web Management UI
Fortinet has patched a critical command injection vulnerability in FortiSandbox that allows an unauthenticated remote attacker to execute arbitrary system commands through the web management interface. CVE-2026-25089, rated CVSS 9.8, requires no credentials to exploit and affects FortiSandbox versions through 5.4.5 — a particularly sensitive target given the appliance's privileged role in malware analysis.
Public Exploit Released for Critical FortiSandbox RCE (CVE-2026-39808, CVSS 9.1) — Unauthenticated Root Access
A public proof-of-concept exploit has been released for CVE-2026-39808, a critical OS command injection vulnerability in Fortinet FortiSandbox that allows unauthenticated attackers to execute arbitrary commands as root via a single HTTP request. A companion authentication bypass flaw (CVE-2026-39813) affects the same versions. Patch to FortiSandbox 4.4.9 or 5.0.6 immediately.