CVE-2026-25089

CRITICAL EXPLOITED

Fortinet FortiSandbox - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Title source: rule

Exploitation Summary

CVE-2026-25089 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including 0xBlackash, HORKimhab.

AI-analyzed exploit summary The repository contains a functional Python exploit for CVE-2026-25089, an OS command injection vulnerability in Fortinet FortiSandbox. The exploit targets the 'start VNC' JSON endpoint, allowing unauthenticated remote code execution via crafted HTTP requests.

Description

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests

Exploits (2)

github WORKING POC

by 0xBlackash · pythonpoc

https://github.com/0xBlackash/CVE-2026-25089

View Code ZIP pw:eip

The repository contains a functional Python exploit for CVE-2026-25089, an OS command injection vulnerability in Fortinet FortiSandbox. The exploit targets the 'start VNC' JSON endpoint, allowing unauthenticated remote code execution via crafted HTTP requests.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Fortinet FortiSandbox (versions 4.2.x, 4.4.0-4.4.8, 5.0.0-5.0.5)

No auth needed

Prerequisites: Network access to the vulnerable FortiSandbox endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 13, 2026 Full analysis →

github WORKING POC

by HORKimhab · pythonpoc

https://github.com/HORKimhab/CVE-2026-25089

View Code ZIP pw:eip

This repository contains a functional Python-based PoC for CVE-2026-25089, demonstrating an OS command injection vulnerability in FortiSandbox via crafted JSON payloads. The script simulates vulnerable behavior and can send payloads to a target endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Fortinet FortiSandbox

No auth needed

Prerequisites: Python 3.x · requests library · target endpoint accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 10, 2026 Full analysis →

References (1)

Core 1

Core References

https://fortiguard.fortinet.com/psirt/FG-IR-26-141

Scores

CVSS v3 9.8

EPSS 0.0266

EPSS Percentile 83.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2026-06-15

CWE

CWE-78

Status published

Products (8)

fortinet/fortisandbox 4.2.0 - 4.2.8

Fortinet/FortiSandbox 4.2.1 - 4.2.8

Fortinet/FortiSandbox 4.4.0 - 4.4.8

Fortinet/FortiSandbox 5.0.0 - 5.0.5

Fortinet/FortiSandbox Cloud 5.0.4 - 5.0.5

Fortinet/FortiSandbox PaaS 5.0.4 - 5.0.5

fortinet/fortisandbox_cloud 5.0.4 - 5.0.6

fortinet/fortisandbox_paas 5.0.4 - 5.0.6

Published Jun 09, 2026

Tracked Since Jun 09, 2026