CVE-2026-25089:FortiSandbox 未经身份验证的命令注入漏洞已被加入 CISA KEV 目录
CVE-2026-25089: FortiSandbox unauthenticated command injection added to CISA KEV

原始链接: https://hellorecon.com/blog/cve-2026-25089

2026年7月16日,美国网络安全与基础设施安全局(CISA)将 **CVE-2026-25089** 加入其已知被利用漏洞(KEV)目录。该漏洞为 Fortinet FortiSandbox 中的一项严重(CVSS 评分为 9.8)操作系统命令注入漏洞,目前已被积极利用。未经身份验证的远程攻击者可利用 Web 界面中的“启动 VNC”(start VNC)功能执行任意命令。 这是自 2026 年 6 月中旬以来,FortiSandbox 被在野利用的第三个漏洞(此前还有 **CVE-2026-39808** 和 **CVE-2026-39813**)。由于 FortiSandbox 为其他集成的 Fortinet 产品(如 FortiGate、FortiMail)提供威胁情报,因此一旦该设备被攻破,可能会破坏整个组织的安全基础设施。 **建议措施:** * **立即修补:** 升级至 FortiSandbox 4.4.9+ 或 5.0.6+ 版本。使用 4.2 版本的用户应联系 Fortinet 获取迁移指导。 * **限制访问:** 确保 Web 管理界面(443 端口)不对互联网开放;限制访问权限至安全的管理 VLAN 或跳转主机。 * **审计与排查:** 检查集成日志是否存在异常行为,并确保系统已修复 2026 年 4 月发现的相关两个漏洞。 * **验证完整性:** 监控是否存在未经授权的账户创建、配置更改或可疑的出站流量。

``` Hacker News 最新 | 往期 | 评论 | 提问 | 展示 | 工作 | 投稿 登录 CVE-2026-25089:FortiSandbox 未经身份验证的命令注入漏洞已被加入 CISA KEV 列表 (hellorecon.com) 15 分,由 slvnx 发布于 2 小时前 | 隐藏 | 往期 | 收藏 | 讨论 帮助 考虑申请 YC 2026 年秋季批次!申请截止日期为 7 月 27 日。 指南 | 常见问题 | 列表 | API | 安全 | 法律 | 申请 YC | 联系 搜索: ```
相关文章

原文

JULY 16, 2026CVSS 9.8 · CRITICAL · ACTIVELY EXPLOITED5 MIN READ

Fortinet FortiSandbox contains an unauthenticated OS command injection vulnerability in its web interface. Fortinet's CNA record assigns CVSS 9.8, while its PSIRT advisory lists 9.1; NVD has not issued an independent score. Defused reported exploitation attempts in mid-June, and CISA added CVE-2026-25089 to KEV on July 16 with a July 19 deadline for applicable FCEB systems. This is the third FortiSandbox vulnerability exploited in the wild within two months.

The Vulnerability

CVE-2026-25089 (CWE-78: Improper Neutralization of Special Elements used in an OS Command) is an OS command injection in FortiSandbox's web UI. The flaw is reported to affect the "start VNC" feature — an attacker can inject shell metacharacters via JSON payloads in HTTP requests to this endpoint. No authentication is required, no user interaction is needed, and attack complexity is low.

  • CVSS: 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) — Fortinet CNA record; Fortinet PSIRT advisory lists 9.1; NVD has not published an independent assessment
  • CWE: CWE-78 (OS Command Injection)
  • AFFECTED: FortiSandbox 4.2.x (all versions), 4.4.0–4.4.8, 5.0.0–5.0.5; FortiSandbox Cloud 5.0.4–5.0.5; FortiSandbox PaaS 5.0.4–5.0.5
  • FIXED: FortiSandbox 4.4.9+, 5.0.6+; Cloud/PaaS 5.0.6+; the CNA record lists 4.2 as affected but Fortinet's advisory does not provide a 4.2 remediation — contact Fortinet for migration guidance
  • EXPLOITED: Active exploitation confirmed since mid-June 2026 — CISA KEV listed July 16, 2026 · BOD 26-04 deadline July 19, 2026 (FCEB agencies)
  • ADVISORY: Fortinet PSIRT FG-IR-26-141

Related FortiSandbox Exploitation Activity

CVE-2026-25089 is the third FortiSandbox vulnerability exploited in the wild in 2026. Two related flaws were patched in April and saw active exploitation by mid-June:

  • CVE-2026-39808 — OS command injection (CNA CVSS 9.8; PSIRT 9.1), unauthenticated RCE. Exploitation observed June 12 by KEVIntel.
  • CVE-2026-39813 — Path traversal leading to authentication bypass (CNA CVSS 9.8; PSIRT 9.1). Exploitation observed June 15 by Defused.

Threat intelligence firm Defused detected exploitation attempts against all three CVEs on honeypots. FortiSandbox is a high-value target because integrated Fortinet products — FortiGate, FortiMail, FortiWeb, FortiProxy — consume its threat verdicts to enforce blocking decisions and trigger automated responses. Because these products depend on FortiSandbox results, responders should review connected workflows for unexpected verdicts, signatures, or configuration changes.

Investigation Workflow

FortiSandbox appliances are typically deployed on internal networks behind firewalls, but their web management interface is often accessible from management VLANs or, in some deployments, from the internet. Identifying exposed instances is the first step.

1. Port Scan: Find FortiSandbox Appliances

FortiSandbox uses standard ports for its web UI and services. The management web interface — where CVE-2026-25089 resides — is the primary target:

  • 443 — HTTPS web UI (management interface — where the vulnerability resides)
  • 80 — HTTP web UI (if HTTPS redirect is not enforced)
  • 22 — SSH administration
  • 514 — OFTP (file/URL/traffic submissions from other Fortinet products)

2. HTTP Headers: Identify FortiSandbox Interfaces

FortiSandbox appliances return identifiable HTTP responses on their management interface:

  • • HTML title containing FortiSandbox
  • • HTTP headers referencing Fortinet or FortiSandbox
  • • Login page with Fortinet branding and FortiSandbox product name
  • Server header may identify the Fortinet web server

3. TLS Inspect: Examine Certificates

Pull the TLS certificate on port 443. Look for:

  • • Subject CN or SAN containing FortiSandbox or fortisandbox
  • • Default self-signed certificates from Fortinet (common on initial deployments)
  • • Organization field referencing Fortinet

4. DNS: Discover FortiSandbox Infrastructure

Query DNS for common FortiSandbox naming patterns: sandbox.*, fortisandbox.*, fsb.*, fsa.*. FortiSandbox appliances are often given descriptive hostnames in internal DNS.

5. CVE Lookup: Track All Three Vulnerabilities

Look up CVE-2026-25089, CVE-2026-39808, and CVE-2026-39813. All three target FortiSandbox and have been exploited in the wild. Check applicability for all three. FortiSandbox 4.4.9+ addresses all three vulnerabilities on the 4.4 branch; 5.0.6+ addresses the applicable vulnerabilities on 5.0. CVE-2026-39808 does not affect 5.0.

Note: The fingerprints above are heuristics — they identify likely FortiSandbox instances but do not confirm patch level. FortiSandbox does not expose its firmware version in HTTP headers. To verify the installed version, log into the management UI and check System > Dashboard.

Cross-Reference with External Data

  • SHODAN: Search http.title:"FortiSandbox" or ssl:"FortiSandbox" to find internet-exposed instances
  • CVE LOOKUP: Track CVE-2026-25089, CVE-2026-39808, and CVE-2026-39813 for exploit disclosures
  • CISA KEV: CVE-2026-25089 listed July 16, 2026 — BOD 26-04 deadline July 19, 2026 (FCEB agencies)
  • FORTINET: FG-IR-26-141

Remediation

  1. Patch immediately. Upgrade FortiSandbox to 4.4.9+ or 5.0.6+. Cloud and PaaS deployments should upgrade to 5.0.6+. The CNA record lists 4.2 as affected but Fortinet's advisory does not provide a 4.2 remediation — contact Fortinet for supported migration or mitigation guidance. If patching is not immediately possible, isolate the management interface from untrusted networks and restrict access to designated administrative hosts.
  2. Patch the related CVEs too. CVE-2026-39808 and CVE-2026-39813 were patched in April 2026 but may remain present on systems that have not received the April updates. Verify your FortiSandbox is patched against all three actively exploited vulnerabilities.
  3. Restrict management interface access. The web UI (port 443) should never be internet-facing. Restrict it to dedicated management VLANs or jump hosts with MFA. This limits the attack surface for all three CVEs.
  4. Audit Fortinet product integrations. FortiSandbox provides threat verdicts to FortiGate, FortiMail, FortiWeb, and FortiProxy. A compromised sandbox could potentially affect downstream verdict accuracy. Review integration logs for unexpected verdict changes or configuration modifications.
  5. Conduct compromise hunting. Fortinet has not published validated IOCs for this vulnerability. As general hunting guidance: review web UI access logs for unusual requests to VNC-related endpoints, look for unexpected outbound connections, new user accounts, or modified system configurations.
  6. Monitor for follow-on activity. FortiSandbox processes malware samples and has access to files submitted from across the network. A compromised appliance may have exposed sample data, network topology, or integration credentials for other Fortinet products.

Every tool used in this investigation — port scan, TLS inspect, HTTP headers, DNS, CVE lookup — runs from your phone in RECON. Get it on the App Store.

Follow @hellorecon for new CVE investigations.

Sources

联系我们 contact @ memedata.com