Fortinet: Critical Command Injection and Other Flaws Disclosed Together
Fortinet disclosed three vulnerabilities on June 9, 2026, including a critical OS command injection flaw in FortiSandbox and two medium-severity issues in FortiPortal and FortiOS/FortiProxy.
Key findings
- Critical OS command injection vulnerability (CVE-2026-25089) in FortiSandbox allows unauthenticated remote command execution.
- Medium-severity improper access control vulnerability (CVE-2026-49938) affects multiple FortiPortal versions.
- Internal asset exposure vulnerability (CVE-2025-67862) impacts various FortiOS and FortiProxy versions.
- All three vulnerabilities were disclosed by Fortinet on June 9, 2026.
- CVE-2026-25089 has a CVSSv3 score of 9.1 (Critical).
Fortinet addressed a trio of security vulnerabilities on June 9, 2026, with a critical flaw in its FortiSandbox product line taking center stage. The disclosures include a critical OS command injection vulnerability, alongside two medium-severity issues affecting FortiPortal and FortiOS/FortiProxy products.
The most severe of the disclosed vulnerabilities is CVE-2026-25089, a critical OS command injection flaw impacting FortiSandbox versions 5.0.0 through 5.0.5, 4.4.0 through 4.4.8, and all versions of 4.2. It also affects FortiSandbox Cloud and FortiSandbox PaaS versions 5.0.4 through 5.0.5. This vulnerability allows unauthenticated remote attackers to execute arbitrary OS commands through the web interface by sending specially crafted HTTP requests. Cybersecurity News reported that this flaw, with a CVSSv3 score of 9.1, could enable attackers to execute unauthorized commands on the underlying system without requiring any authentication.
In addition to the critical FortiSandbox vulnerability, Fortinet also disclosed CVE-2026-49938, a medium-severity improper access control vulnerability affecting FortiPortal versions 7.4.0 through 7.4.7, 7.2.0 through 7.2.8, and all versions of 7.0. The exact attack vector for this issue was not fully detailed in the initial advisories but points to potential unauthorized access.
Another medium-severity vulnerability, CVE-2025-67862, was disclosed, impacting FortiOS versions 7.6.0 through 7.6.2, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16, and all versions of 6.4. This issue also affects FortiProxy versions 7.6.0 through 7.6.3 and 7.4.0 through 7.4. The vulnerability is described as an 'Internal Asset Exposed to Unsafe Debug Access Level or State' (CWE-1244).
Details regarding specific patches or recommended mitigation steps for all three vulnerabilities were not immediately available in the initial disclosure, but users are advised to consult Fortinet's official advisories for the most up-to-date information on affected versions and remediation. The coordinated disclosure of these vulnerabilities highlights ongoing security challenges across Fortinet's product ecosystem.
Users of Fortinet products are urged to monitor for official patch releases and apply them promptly, especially given the critical nature of CVE-2026-25089. The potential for unauthenticated remote command execution on FortiSandbox systems presents a significant risk that requires immediate attention from affected organizations.