Get the latest tech news

CVE-2026-25089: FortiSandbox unauthenticated command injection added to CISA KEV


Fortinet FortiSandbox contains a critical OS command injection vulnerability (CVSS 9.8) in the web UI allowing unauthenticated remote code execution via crafted HTTP requests. Third FortiSandbox CVE exploited in 2026. CISA KEV listed. Find exposed instances with RECON.

None

Get the Android app

Or read this on Hacker News

Read more on:

Photo of KEV

KEV

Photo of FortiSandbox

FortiSandbox

Photo of cisa kev

cisa kev

Related news:

News photo

Microsoft said exploitation was 'less likely' ... but CISA just added SharePoint RCE to KEV list

News photo

Critical Fortinet FortiSandbox flaws now exploited in attacks

News photo

Ivanti Sentry pre-auth RCE (CVE-2026-10520) – CVSS 10.0, public PoC, CISA KEV