Description
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests
Published: 2026-06-09
Score: 9.1 Critical
EPSS: 23.4% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an OS command injection that allows an unauthenticated attacker to execute arbitrary operating‑system commands on a FortiSandbox appliance via specially crafted HTTP requests, thereby compromising system integrity and confidentiality. The flaw results from improper neutralization of special elements used in an OS command and is classified as CWE‑78.

Affected Systems

The affected products are Fortinet FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS. Any instance running FortiSandbox version 5.0.0 through 5.0.5, 4.4.0 through 4.4.8, and all 4.2.x releases is vulnerable. FortiSandbox Cloud is affected for versions 5.0.4 through 5.0.5 and FortiSandbox PaaS for versions 5.0.4 through 5.0.5.

Risk and Exploitability

The EPSS score of 23% indicates a moderate probability of exploitation in the wild, while the CVSS score of 9.1 reflects a very high severity impact. The flaw permits an unauthenticated attacker to execute arbitrary OS commands via specially crafted HTTP requests, granting full remote code execution. Although not listed in CISA’s KEV catalog, the combination of a high CVSS score and a 23% EPSS warrants urgent attention.

Generated by OpenCVE AI on June 24, 2026 at 13:12 UTC.

Remediation

Vendor Solution

Upgrade to upcoming FortiSandbox version 5.2.0 or above Upgrade to FortiSandbox version 5.0.6 or above Upgrade to FortiSandbox version 4.4.9 or above Upgrade to upcoming FortiSandbox PaaS version 5.2.0 or above Upgrade to FortiSandbox PaaS version 5.0.6 or above Fortinet remediated this issue in FortiSandbox Cloud version 5.2.0 (not released) and hence customers do not need to perform any action. Fortinet remediated this issue in FortiSandbox Cloud version 5.0.6 (not released) and hence customers do not need to perform any action.

OpenCVE Recommended Actions

  • Upgrade on‑prem FortiSandbox to version 5.2.0 or later, which contains the fix for all affected releases.
  • If 5.2.0 is unavailable, update the on‑prem installation to the next patch level: FortiSandbox version 5.0.6 or FortiSandbox version 4.4.9.
  • Upgrade FortiSandbox PaaS to version 5.2.0 or later, which contains the fix for all affected releases.
  • FortiSandbox Cloud deployments currently do not require action because Fortinet has remediated the issue in forthcoming releases; however, plan to upgrade once 5.0.6 becomes available if you are on earlier versions.
  • If desired, restrict or monitor traffic to FortiSandbox API endpoints until a patch is deployed.

Generated by OpenCVE AI on June 24, 2026 at 13:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Title FortiSandbox OS Command Injection Vulnerability

Wed, 24 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Title FortiSandbox OS Command Injection Vulnerability

Wed, 24 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Title FortiSandbox OS Command Injection Vulnerability

Wed, 24 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title FortiSandbox OS Command Injection Enables Unauthenticated Remote Code Execution

Tue, 23 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title FortiSandbox OS Command Injection Enables Unauthenticated Remote Code Execution

Tue, 23 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated OS Command Injection Enables Remote Execution in FortiSandbox

Tue, 23 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated OS Command Injection Enables Remote Execution in FortiSandbox

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated OS Command Injection in FortiSandbox via HTTP Requests

Tue, 16 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated OS Command Injection in FortiSandbox via HTTP Requests

Thu, 11 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Fortinet fortisandbox Cloud
Fortinet fortisandbox Paas
CPEs cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox_cloud:*:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox_paas:*:*:*:*:*:*:*:*
Vendors & Products Fortinet fortisandbox Cloud
Fortinet fortisandbox Paas

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Title Unrestricted OS Command Injection in Fortinet FortiSandbox

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title Unrestricted OS Command Injection in Fortinet FortiSandbox

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests
First Time appeared Fortinet
Fortinet fortisandbox
Fortinet fortisandboxcloud
Fortinet fortisandboxpaas
Weaknesses CWE-78
CPEs cpe:2.3:a:fortinet:fortisandbox:4.2.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.2.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.2.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.2.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.2.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.2.6:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.2.7:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.2.8:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.6:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.7:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:4.4.8:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:5.0.1:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:5.0.2:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:5.0.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandbox:5.0.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxcloud:5.0.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxcloud:5.0.5:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:5.0.4:*:*:*:*:*:*:*
cpe:2.3:a:fortinet:fortisandboxpaas:5.0.5:*:*:*:*:*:*:*
Vendors & Products Fortinet
Fortinet fortisandbox
Fortinet fortisandboxcloud
Fortinet fortisandboxpaas
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C'}

Subscriptions

Fortinet Fortisandbox Fortisandbox Cloud Fortisandbox Paas Fortisandboxcloud Fortisandboxpaas
cve-icon MITRE

Status: PUBLISHED

Assigner: fortinet

Published:

Updated: 2026-06-10T13:35:01.375Z

Reserved: 2026-01-29T09:27:29.820Z

Link: CVE-2026-25089

cve-icon Vulnrichment

Updated: 2026-06-09T15:36:07.778Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T16:16:39.943

Modified: 2026-06-11T21:39:00.893

Link: CVE-2026-25089

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T13:15:15Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')