Fortinet FortiSandbox Vulnerability Allows Attackers to Execute Unauthorized Commands

Fortinet disclosed CVE-2026-25089, a critical (CVSSv3 9.1) unauthenticated OS command injection in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS web interfaces that can allow remote attackers to execute arbitrary OS commands; affected versions are listed (upgrade to 5.0.6 or 4.4.9 or above) and immediate actions include patching, restricting web UI access, and monitoring logs—no active exploitation has been reported.