CVE-2026-25089

Summary

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests

Affected Software

VendorProductVersion RangeStatus
FortinetFortiSandbox5.0.0 <= 5.0.5affected
FortinetFortiSandbox4.4.0 <= 4.4.8affected
FortinetFortiSandbox4.2.1 <= 4.2.8affected
FortinetFortiSandbox Cloud5.0.4 <= 5.0.5affected
FortinetFortiSandbox PaaS5.0.4 <= 5.0.5affected

Weaknesses

  • CWE-78: Execute unauthorized code or commands

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References