FORTINET has released patches for a critical vulnerability in its FortiSandbox products, specifically CVE-2026-25089, which has a CVSS score of 9.8. This OS command injection flaw allows unauthenticated attackers to execute arbitrary commands through specially crafted HTTP requests. The affected versions include FortiSandbox 5.0.0 to 5.0.5, 4.4.0 to 4.4.8, and certain versions of FortiSandbox Cloud and PaaS.
In addition, two medium-severity vulnerabilities were addressed affecting FortiOS, FortiProxy, and FortiPortal. Fortinet advises users to apply the security updates as there are no known exploitations of these vulnerabilities in the wild.