CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

Second-Order OS Command Injection via JSON Input on start vnc feature

unknownCVE-2026-25089
CVSSv3 Score: 9.1 An improper neutralization of special elements used in an OS command vulnerability [CWE-78] in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests. Revised on 2026-06-09 00:00:00

CSIRTS triage

What
An improper neutralization of special elements used in an OS command vulnerability allows unauthenticated attackers to execute unauthorized commands.
Who is affected
Users of FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI.
Urgency
Remediation is critical due to the high severity and potential for remote code execution.
Action
Apply the latest security updates from Fortinet.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch FortiSandbox

Get an email when a new FortiSandbox advisory drops — max one per day, one-click unsubscribe.

Details

Source
Fortinet FortiGuard PSIRT (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-06-09
Exploitation
Not in CISA KEV at last sync

Original advisory: https://fortiguard.fortinet.com/psirt/FG-IR-26-141

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-25089coverage & exploitation statusNVD · CVE.org

More from Fortinet FortiGuard PSIRT