CVE-2026-25089: FortiSandbox Unauthenticated RCE Added to CISA KEV — Patch Now
FortiSandbox Unauthenticated Command Injection Is Being Exploited in the Wild
CISA has added CVE-2026-25089 to its Known Exploited Vulnerabilities catalog — meaning there is confirmed, active exploitation in the wild. The flaw is an unauthenticated command injection in Fortinet's FortiSandbox, a network sandbox appliance used by enterprises to detonate and analyze suspicious files and URLs.
The KEV listing is the key signal here. CISA does not add vulnerabilities to this list speculatively; inclusion means threat actors are actively leveraging the vulnerability against real targets. For federal civilian agencies, a KEV listing triggers a mandatory remediation deadline under BOD 22-01. For everyone else, it's the strongest possible external signal that deferring this patch is a losing bet.
Why This Is Serious
Unauthenticated command injection in a network-facing security appliance is about as bad as it gets:
- No credentials required. An attacker with network access to the FortiSandbox management interface can execute arbitrary OS commands without needing a valid account.
- High-value target. FortiSandbox sits inside the security stack, often with broad network access and trusted status. Compromising it can give an attacker lateral movement, the ability to suppress or manipulate threat detection, or a foothold into the internal network.
- Already exploited. The KEV listing confirms this isn't theoretical. Someone is using it right now.
This follows a pattern of Fortinet appliances being a preferred entry point for nation-state and ransomware actors. Prior FortiOS and FortiGate vulnerabilities (CVE-2022-40684, CVE-2023-27997, CVE-2024-21762) were all weaponized within days of disclosure. FortiSandbox is a smaller attack surface but the exploitation profile is identical.
What to Do Right Now
- Audit exposure immediately. Identify all FortiSandbox instances in your environment. Check whether the management interface is reachable from untrusted networks or the internet — it should not be.
- Apply Fortinet's patch. Check Fortinet's PSIRT advisory for the fixed firmware versions and update all affected appliances. Do not wait for a maintenance window — treat this as an emergency change.
- Restrict network access. If you cannot patch immediately, firewall the FortiSandbox management interface to management VLANs only. Block all inbound access from untrusted sources at the perimeter as a temporary control.
- Hunt for compromise. Pull logs from FortiSandbox and adjacent systems and look for anomalous command execution, unexpected outbound connections, or new accounts. Given active exploitation, assume anything unpatched and internet-exposed may already be compromised.
- Federal agencies: CISA's BOD 22-01 requires remediation by the posted deadline — check the KEV catalog for the specific date and ensure your patch process meets it.
If your FortiSandbox deployment is air-gapped or on an isolated management network with no internet access, your risk is significantly lower — but patching is still required. Treat any internet-accessible instance as an active incident until patched and forensically cleared.
Synthesized by Claude · sanity-checked before publish.