HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-25089Published Modified CNA fortinet

CVE-2026-25089: A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
3

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

OS command injection vulnerability in Fortinet FortiSandbox allows an unauthenticated remote attacker to inject and execute arbitrary operating system commands by sending specially crafted HTTP requests to the affected service. The vulnerability is reachable over the network with no authentication or user interaction required, making it exploitable without any preconditions. Successful exploitation gives the attacker full control over the host, including the ability to read sensitive data, modify system state, and disrupt service availability. No fix versions have been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-25089 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from affected FortiSandbox base layers. Any image found running a vulnerable version is flagged immediately.

Available
Triage

Triage is available with a CVSS v3.1 base score of 9.1 (Critical), surfaced alongside per-environment compliance policy weighting so each customer org can see the finding ranked against its own risk thresholds. Routing rules direct the alert to the appropriate team inbox within the customer org based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Fortinet releases a remediated version. In the interim, customers can apply compensating controls through HarborGuard network-policy recommendations to restrict inbound HTTP access to affected FortiSandbox instances.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the FortiSandbox HTTP service over the network; any internet-exposed or internally reachable deployment is in scope.

  • AuthenticationNot required

    No credentials or account of any privilege level are needed; the injected commands are accepted from unauthenticated HTTP requests.

  • Victim interactionNot required

    No user action is required; the attacker sends crafted HTTP requests directly to the service without involving any human victim.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race timing, or prior reconnaissance.

Blast Radius

  • The attacker executes arbitrary OS commands as the process user on the FortiSandbox host, gaining full shell-level access to the underlying system.
  • Confidential data stored or processed by FortiSandbox, including submitted file samples, analysis results, and stored credentials, is readable by the attacker.
  • The attacker can modify or delete configuration files, analysis databases, and operating system binaries, corrupting the integrity of the sandbox environment.
  • The attacker can terminate processes, exhaust resources, or wipe the system, taking the FortiSandbox service fully offline.

How HarborGuard Handles This

Available on HarborGuard: because Fortinet has not yet published a fix for CVE-2026-25089, HarborGuard continuously re-checks the advisory on every ingest cycle and will trigger an automatic patched-image rebuild the moment a remediated version is released upstream. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression-test run and a PR opened against affected workloads, with median time from fix publication to merged patch PR around 90 minutes for Critical-severity issues. While no upstream patch exists, compensating controls are available through HarborGuard policy enforcement: network-isolation rules can be applied to restrict inbound HTTP access to affected FortiSandbox images, and egress-filtering policies can limit lateral movement if a container in the affected image family is compromised. Customers are advised to treat any FortiSandbox instance running versions 5.0.0 through 5.0.5, 4.4.0 through 4.4.8, or any 4.2 release as critically exposed until Fortinet publishes a patch.

See how HarborGuard automates this
Affected packages
  • Fortinet / FortiSandbox
    ≤ 5.0.5 · ≤ 4.4.8 · ≤ 4.2.8
  • Fortinet / FortiSandbox Cloud
    ≤ 5.0.5
  • Fortinet / FortiSandbox PaaS
    ≤ 5.0.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
References