—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

OS command injection vulnerability in Fortinet’s sandbox products

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

FortiSandbox versions 5.0.0 through 5.0.5

FortiSandbox versions 4.4.0 through 4.4.8

FortiSandbox Cloud versions 5.0.4 through 5.0.5

FortiSandbox PaaS versions 5.0.4 through 5.0.5

Overview

A vulnerability has been reported in FortiSandbox products that could allow a remote attacker to perform OS command injection on the targeted systems.

Target Audience:

All end-user Individuals using Fortinet Products.

Risk Assessment:

High risk of remote code execution on affected systems.

Impact Assessment:

High risk of unauthorized code or commands to access sensitive information, escalation of privilege and disruption of services.

Description

Fortinet FortiSandbox is an advanced threat detection solution that isolates and analyses suspicious files and URLs in a secure sandbox environment to identify zero-day and targeted attacks.

This vulnerability exists in Fortinet sandbox products cause unauthenticated OS command injection vulnerability due to improper input validation. A remote attacker can exploit these using specially crafted HTTP requests to execute arbitrary commands on the targeted system.

Successful exploitation of this vulnerability could allow remote code execution, system compromise, data exposure, and service disruption.

Solution

Apply appropriate Updates as mentioned in the Vendor advisory:

https://www.fortiguard.com/psirt/FG-IR-26-141

Vendor Information

Fortinet

https://www.fortiguard.com/psirt

References

 

https://www.fortiguard.com/psirt/FG-IR-26-141

CVE Name

CVE-2026-25089

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoxZ2cACgkQ3jCgcSdc

ys8pKw//QsKcwC9Bu8QG+iErzpfVmx+u+vximwM6zgJudxzq9G4+3CnrmF0Pf0c9

VT42Uu5rGTxX+tg1dB1g6xPKUFuIX50Xvk8We2YyEuRAf5zW29sdyGPdHhxRbiQe

DC3HZPcORqybnUXGiOIxWtfiv9LebcH3u+CLFKzp3qVC+jgTm0yzYHDOECKRj3kX

YAl6U91mu84EmjptEnnXo4FHs1wE8yVPHJQe3sljZlfZL0Pml1hArayMzKsIur2a

Uy05xkJW8EVTeyWFX0PlDjSpBQZQ6VPT7Io3FBoScYL3e1TcR85KTwBQlYN8/4dT

LJgEuf/nYsMRU2Qln0J3Ix16f6r2cgEn4LzKvzqOfhj2jFwlPWYkNlIXk4JCoP+5

7Qi/lzFE6air6FDcXEjPP1AsxPJYfhw4GL+Ao1Yxvc+GqDro2pAiyTL0ksxeTCN0

ag9gR151ewpVmgtiNwcGhrQdbe2BDKDZShrPpCNZn08ES/ZRHUG2BD9kzZMWu+jb

AZLw3BASf6U0D7HfVhulg5ihoZHyw+YqNfeuGgOV9HamAGnNXCvdGmHtm1c3JAW+

5ctkVzYRJcS/vuzyqWCbA7pma0sjiUGDIxIVAa3tfRcCqVuORDfs8+eCG3DJbLUS

Vu4di5jvfkdszJswqz5YgB52Exq5x5IpnqP4TsbV0Bu0oRNb8oU=

=PE53

—–END PGP SIGNATURE—–