• 2 min read
FortiSandbox bug hits CISA KEV as attacks intensify
CISA added CVE-2026-25089 to KEV on July 16 after reports of active FortiSandbox exploitation since mid-June.

Image: Hacker News
CISA added CVE-2026-25089 to its Known Exploited Vulnerabilities catalog on July 16, 2026, escalating pressure on organizations running Fortinet FortiSandbox to patch quickly. The flaw is an unauthenticated OS command injection in the product’s web interface, tied to the “start VNC” feature, and it has been under active exploitation since mid-June 2026, according to the source.
Fortinet’s CNA record assigns the bug a CVSS score of 9.8, while the company’s PSIRT advisory FG-IR-26-141 lists it at 9.1. NVD has not yet published an independent score. The issue is tracked as CWE-78, and the attack requires no authentication, no user interaction, and low attack complexity.
Affected versions listed in the source are:
- FortiSandbox 4.2.x: all versions
- FortiSandbox 4.4.0–4.4.8
- FortiSandbox 5.0.0–5.0.5
- FortiSandbox Cloud 5.0.4–5.0.5
- FortiSandbox PaaS 5.0.4–5.0.5
Fixed versions are FortiSandbox 4.4.9+ and 5.0.6+, with Cloud and PaaS also fixed in 5.0.6+. The source notes that the CNA record lists 4.2 as affected, but Fortinet’s advisory does not include a remediation path for that branch and tells customers to contact Fortinet for migration guidance.

Recommended reading
One in six PCs still run Windows 10
Three FortiSandbox bugs exploited in 2026
According to the source, CVE-2026-25089 is the third FortiSandbox vulnerability exploited in the wild within two months. Two other flaws were patched in April 2026 and were also reportedly exploited by mid-June:
- CVE-2026-39808 — OS command injection, CVSS 9.8 in the CNA record and 9.1 in the PSIRT advisory; exploitation was observed on June 12 by KEVIntel
- CVE-2026-39813 — path traversal leading to authentication bypass, also scored 9.8 by the CNA record and 9.1 by the PSIRT advisory; exploitation was observed on June 15 by Defused
Threat intelligence firm Defused detected exploitation attempts against all three CVEs on honeypots, the source says. That matters because FortiSandbox feeds threat verdicts into other Fortinet products including FortiGate, FortiMail, FortiWeb, and FortiProxy, which can use those results to block traffic or trigger automated responses.
Patch now, lock down management access
The source’s guidance is straightforward: patch immediately and make sure the web UI on port 443 is not exposed to the internet. If patching cannot happen right away, access to the management interface should be restricted to designated administrative systems, such as management VLANs or jump hosts with MFA.
It also advises defenders to verify exposure across all three actively exploited CVEs, review connected Fortinet workflows for unusual verdicts or configuration changes, and hunt for suspicious access to VNC-related endpoints, unexpected outbound connections, new user accounts, or modified system settings. For FCEB agencies, CISA’s BOD 26-04 deadline is July 19, 2026.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via Hacker News


