Security · 1h ago
FortiSandbox Flaw Added to CISA KEV: Unauthenticated RCE
CVE-2026-25089 is an unauthenticated command injection vulnerability in FortiSandbox, now added to CISA's Known Exploited Vulnerabilities catalog. The flaw allows remote attackers to execute arbitrary commands without authentication. Fortinet has released patches; administrators should apply them immediately.
Meridian48 take
The inclusion in CISA KEV confirms active exploitation, making this a must-patch for any organization using FortiSandbox.
Read the full reporting
CVE-2026-25089: FortiSandbox unauthenticated command injection added to CISA KEV →
Hacker News
cve-2026-25089fortinet