blindthoughts
breaking · By

CVE-2026-25089: FortiSandbox Unauthenticated RCE Added to CISA KEV — Patch Now

FortiSandbox Unauthenticated Command Injection Is Being Exploited in the Wild

CISA has added CVE-2026-25089 to its Known Exploited Vulnerabilities catalog — meaning there is confirmed, active exploitation in the wild. The flaw is an unauthenticated command injection in Fortinet's FortiSandbox, a network sandbox appliance used by enterprises to detonate and analyze suspicious files and URLs.

The KEV listing is the key signal here. CISA does not add vulnerabilities to this list speculatively; inclusion means threat actors are actively leveraging the vulnerability against real targets. For federal civilian agencies, a KEV listing triggers a mandatory remediation deadline under BOD 22-01. For everyone else, it's the strongest possible external signal that deferring this patch is a losing bet.

Why This Is Serious

Unauthenticated command injection in a network-facing security appliance is about as bad as it gets:

This follows a pattern of Fortinet appliances being a preferred entry point for nation-state and ransomware actors. Prior FortiOS and FortiGate vulnerabilities (CVE-2022-40684, CVE-2023-27997, CVE-2024-21762) were all weaponized within days of disclosure. FortiSandbox is a smaller attack surface but the exploitation profile is identical.

What to Do Right Now

  1. Audit exposure immediately. Identify all FortiSandbox instances in your environment. Check whether the management interface is reachable from untrusted networks or the internet — it should not be.
  1. Apply Fortinet's patch. Check Fortinet's PSIRT advisory for the fixed firmware versions and update all affected appliances. Do not wait for a maintenance window — treat this as an emergency change.
  1. Restrict network access. If you cannot patch immediately, firewall the FortiSandbox management interface to management VLANs only. Block all inbound access from untrusted sources at the perimeter as a temporary control.
  1. Hunt for compromise. Pull logs from FortiSandbox and adjacent systems and look for anomalous command execution, unexpected outbound connections, or new accounts. Given active exploitation, assume anything unpatched and internet-exposed may already be compromised.
  1. Federal agencies: CISA's BOD 22-01 requires remediation by the posted deadline — check the KEV catalog for the specific date and ensure your patch process meets it.

If your FortiSandbox deployment is air-gapped or on an isolated management network with no internet access, your risk is significantly lower — but patching is still required. Treat any internet-accessible instance as an active incident until patched and forensically cleared.

Sources
  1. CVE-2026-25089: FortiSandbox unauthenticated command injection added to CISA KEV

Synthesized by Claude · sanity-checked before publish.

Share:𝕏inr/HN🦋@
Was this useful?