🔴 Critical  |  Source: CISA Known Exploited Vulnerabilities


A critical OS command injection vulnerability in Fortinet FortiSandbox (including its cloud and PaaS variants) allows an unauthenticated attacker to run arbitrary commands simply by sending crafted HTTP requests — no login required. This is actively being exploited in the wild, as confirmed by CISA’s addition to its Known Exploited Vulnerabilities catalogue. The potential impact is severe, as FortiSandbox is a security control itself, meaning compromise could blind an organisation to other threats.

Security Architect’s Take: Patch FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS immediately to the vendor-recommended fixed versions — the CISA remediation deadline is 19 July 2026. In the interim, restrict access to the FortiSandbox management interface at the network level to trusted IP ranges only, and review recent HTTP request logs for anomalous or crafted payloads targeting the affected endpoints.

Original advisory: CVE-2026-25089: Fortinet FortiSandbox