Fortinet has patched a critical flaw in FortiSandbox, the appliance that detonates suspicious files and feeds malware verdicts to the rest of a Fortinet security deployment. The bug (CVE-2026-25089, rated 9.8) is an OS command injection in the web interface that lets a remote, unauthenticated attacker run arbitrary commands by sending crafted HTTP requests. Compromising a sandbox is especially dangerous because attackers can both pivot deeper into the network and blind the very system meant to catch malware. Fixed versions are FortiSandbox 5.0.6 and 4.4.9, with matching updates for the Cloud and PaaS editions.