← All articles

Critical FortiSandbox flaw lets unauthenticated attackers run commands

Fortinet has patched a critical flaw in FortiSandbox, the appliance that detonates suspicious files and feeds malware verdicts to the rest of a Fortinet security deployment. The bug (CVE-2026-25089, rated 9.8) is an OS command injection in the web interface that lets a remote, unauthenticated attacker run arbitrary commands by sending crafted HTTP requests. Compromising a sandbox is especially dangerous because attackers can both pivot deeper into the network and blind the very system meant to catch malware. Fixed versions are FortiSandbox 5.0.6 and 4.4.9, with matching updates for the Cloud and PaaS editions.

Check
Identify FortiSandbox appliances and their version and whether the web interface is reachable from untrusted networks, and review HTTP and admin logs for unexpected command execution.
Affected
FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS web interfaces before the fixed releases (CVE-2026-25089), reachable by remote unauthenticated attackers over HTTP.
Fix
Upgrade FortiSandbox to 5.0.6 or 4.4.9 (and the matching Cloud and PaaS releases) now, and restrict management-interface access to trusted networks until patched.