CVE-2026-25089

Vulnerability

An improper neutralization of special elements used in an OS command vulnerability (CWE-78) exists in the WEB UI of FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. This affects FortiSandbox versions 5.0.0 through 5.0.5, 4.4.0 through 4.4.8, and all versions of 4.2. It also affects FortiSandbox Cloud and PaaS versions 5.0.4 through 5.0.5. The vulnerability is triggered by specifically crafted HTTP requests [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending specifically crafted HTTP requests to the affected devices. The vulnerability lies within the start vnc feature, which does not properly neutralize special elements used in OS commands, allowing for command injection [1].

Impact

Successful exploitation allows an unauthenticated attacker to execute unauthorized commands on the affected FortiSandbox instances. This could lead to a compromise of the system's integrity and confidentiality, depending on the commands executed.

Mitigation

Fortinet has released patches for the affected versions. Users should upgrade to FortiSandbox 5.0.6 or above, FortiSandbox 4.4.9 or above, or FortiSandbox Cloud 5.0.6 or above. FortiSandbox versions 5.2 and FortiSandbox Cloud 5.2 are not affected [1].