Article URL: https://hellorecon.com/blog/cve-2026-25089 Comments URL: https://news.ycombinator.com/item?id=48940895 Points: 21 # Comments: 0

Fortinet FortiSandbox contains an unauthenticated OS command injection vulnerability in its web interface. Fortinet's CNA record assigns CVSS 9.8, while its PSIRT advisory lists 9.1; NVD has not issued an independent score. Defused reported exploitation attempts in mid-June, and CISA added CVE-2026-25089 to KEV on July 16 with a July 19 deadline for applicable FCEB systems. This is the third FortiSandbox vulnerability exploited in the wild within two months. CVE-2026-25089 (CWE-78: Improper Neutralization of Special Elements used in an OS Command) is an OS command injection in FortiSandbox's web UI. The flaw is reported to affect the "start VNC" feature — an attacker can inject shell metacharacters via JSON payloads in HTTP requests to this endpoint. No authentication is required, no user interaction is needed, and attack complexity is low. CVE-2026-25089 is the third FortiSandbox vulnerability exploited in the wild in 2026. Two related flaws were patched in April and saw active exploitation by mid-June: Threat intelligence firm Defused detected exploitation attempts against all three CVEs on honeypots. FortiSandbox is a high-value target because integrated Fortinet products — FortiGate, FortiMail, FortiWeb, FortiProxy — consume its threat verdicts to enforce blocking decisions and trigger automated responses. Because these products depend on FortiSandbox results, responders should review connected workflows for unexpected verdicts, signatures, or configuration changes. FortiSandbox appliances are typically deployed on internal networks behind firewalls, but their web management interface is often accessible from management VLANs or, in some deployments, from the internet. Identifying exposed instances is the first step. FortiSandbox uses standard ports for its web UI and services. The management web interface — where CVE-2026-25089 resides — is the primary target: FortiSandbox appliances return identifiable HTTP responses on their management interface: Query DNS for common FortiSandbox naming patterns: sandbox.*, fortisandbox.*, fsb.*, fsa.*. FortiSandbox appliances are often given descriptive hostnames in internal DNS.