Fortinet fixed a critical flaw in FortiSandbox that could let an attacker take over affected appliances over the internet without a password. The bug, CVE-2026-25089, is an OS command injection issue in the FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS web interface, exploitable via crafted HTTP requests for arbitrary command execution. Fixes shipped in FortiSandbox 5.0.6 and 4.4.9, FortiSandbox Cloud 5.0.6, and FortiSandbox PaaS 5.0.6; Fortinet also patched two medium-severity flaws in FortiOS, FortiProxy, and FortiPortal.
Why it matters: Organizations using FortiSandbox should update quickly because this is the kind of bug that can allow full remote compromise of a security appliance. Even though Fortinet says it has no evidence of attacks yet, internet-facing management interfaces are high-risk and should be patched or tightly restricted immediately.
Ionut Arghire
2026.06.10
100% relevant
The article establishes a distinct Fortinet patch event centered on CVE-2026-25089 in FortiSandbox, which is not the same underlying event as any existing tracked story.
← Back to all stories