CISA has added CVE‑2026‑25089 to its Known Exploited Vulnerabilities catalogue, affecting Fortinet’s FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS products. The vulnerability is an OS command injection flaw that permits an unauthenticated attacker to execute arbitrary commands by sending specially crafted HTTP requests.
Technically, the flaw resides in the input validation of the web interface, allowing remote code execution without authentication. It carries a CVSS v3.1 base score of 9.1, rated Critical, and a patch is available through Fortinet advisory FG‑IR‑26‑141. The attack vector is network‑based, requiring only the ability to reach the affected service over HTTP.
Active exploitation has been confirmed, which is the basis for its inclusion in the KEV catalogue; there is no publicly known ransomware campaign leveraging this CVE at present. CISA has set a remediation deadline of 19 July 2026 for federal civilian executive branch agencies to apply the necessary mitigations.
CISA’s required action is to apply mitigations in accordance with vendor instructions, ensuring compliance with BOD 26‑04 Prioritizing Security Updates Based on Risk and the Forensics Triage Requirements. For cloud services, stakeholders must follow the applicable BOD 26‑04 guidance or discontinue use if mitigations are unavailable. Each asset’s internet exposure must be evaluated and adherence to BOD 26‑04 patching guidelines ensured.
While the directive binds FCEB agencies, all organisations are advised to review their exposure to FortiSandbox and apply the patch or mitigations promptly.
For full details, consult the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-25089 and the CISA KEV catalogue.