CVE-2026-25089: Fortinet FortiSandbox Unauthenticated OS Command Injection — How to Find Exposed Instances on Your Network
- JULY 16, 2026CVSS 9.8 · CRITICAL · ACTIVELY EXPLOITED5 MIN READFortinet FortiSandbox contains an unauthenticated OS command injection vulnerability in its web interface.
- Fortinet's CNA record assigns CVSS 9.8, while its PSIRT advisory lists 9.1; NVD has not issued an independent score.
- Defused reported exploitation attempts in mid-June, and CISA added CVE-2026-25089 to KEV on July 16 with a July 19 deadline for applicable FCEB systems.
Unverified
- JULY 16, 2026CVSS 9.8 · CRITICAL · ACTIVELY EXPLOITED5 MIN READFortinet FortiSandbox contains an unauthenticated OS command injection vulnerability in its web interface.
- Fortinet's CNA record assigns CVSS 9.8, while its PSIRT advisory lists 9.1; NVD has not issued an independent score.
- Defused reported exploitation attempts in mid-June, and CISA added CVE-2026-25089 to KEV on July 16 with a July 19 deadline for applicable FCEB systems.
Sources: Hellorecon