CVE-2026-25089 is a critical operating system command injection vulnerability in the Web UI of Fortinet FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. The flaw is caused by improper neutralization of special elements used in OS commands and is described as a second-order injection condition involving JSON input processed by the start VNC feature. Attacker-controlled input can be accepted in one code path and later incorporated into an OS command during VNC session initialization, allowing command execution on the underlying operating system. Affected versions include FortiSandbox 5.0.0 through 5.0.5, 4.4.0 through 4.4.8, and all 4.2 versions, as well as FortiSandbox Cloud 5.0.4 through 5.0.5 and FortiSandbox PaaS 5.0.4 through 5.0.5.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a small standalone Python proof-of-concept exploit for CVE-2026-25089, an unauthenticated OS command injection vulnerability in Fortinet FortiSandbox's Web UI/API VNC start functionality. The repo contains only two files: a Python exploit script and a README describing impact, affected versions, and mitigation guidance. The main exploit logic is in CVE-2026-25089.py. It builds a target URL by appending /api/vnc/start to a user-supplied base URL, then sends a POST request with a JSON body where vm_name contains shell metacharacters and an attacker-controlled command (formatted as "test-vm; <cmd> #"). This indicates the exploit abuses unsafe command construction on the server side. The script disables TLS certificate warnings, uses requests with verify=False, accepts a custom command and VNC port, and prints HTTP status/response text as a coarse success indicator. It treats HTTP 200 or 500 as signs the target may be vulnerable. Capabilities are straightforward but dangerous: arbitrary command execution on the appliance, with default commands for identity discovery and sensitive file disclosure, plus documented examples for outbound HTTP callbacks and reverse shells. Because the operator can freely choose the injected command, the exploit can support reconnaissance, persistence setup, lateral movement preparation, or full remote shell access. The code is not part of a larger exploitation framework and does not include advanced session handling, target fingerprinting, or automated post-exploitation, so OPERATIONAL is the best fit rather than WEAPONIZED. The README is descriptive rather than functional. It reiterates that the issue is network-reachable, requires no authentication, and affects FortiSandbox 4.2.x, 4.4.0-4.4.8, and 5.0.0-5.0.5, including Cloud and PaaS variants. Overall, this is a real exploit PoC rather than a detector or fake sample.
This repository is a small standalone Python proof-of-concept/tester for a claimed Fortinet FortiSandbox vulnerability, CVE-2026-25089, described as a second-order OS command injection in a VNC start workflow. The repository contains 5 files: a README, license, gitignore, requirements.txt, and one main Python script, cve-2026-25089.py. The only executable logic is in that Python file, making it the clear entry point. The exploit script has two main capabilities. First, it can simulate the vulnerable behavior locally via vulnerable_command_simulator(), which constructs a shell command using attacker-controlled JSON fields and executes it with subprocess.run(..., shell=True). This is the core exploit behavior and demonstrates arbitrary command execution through the vm_name parameter. Second, it can send the crafted JSON payload to a remote HTTP endpoint using requests.post() in send_to_target(), allowing the user to test a FortiSandbox-like API endpoint. The script disables TLS verification and suppresses urllib3 insecure request warnings, which is common in lab-oriented exploit tooling. The exploit is operational rather than a mere detector because it includes an actual command-execution path in local simulation mode and a delivery mechanism for remote payload submission. However, it is still basic: there is no authentication handling, no target fingerprinting, no response parsing beyond status/body preview, and no advanced payload staging. Payload customization is limited to JSON input and a simple --cmd override that rewrites vm_name to include injected shell commands. Repository structure is minimal and educational in tone. README.md provides setup and usage examples, including local simulation and remote POST testing. requirements.txt lists only the requests dependency. There is no framework usage, no modularization, and no auxiliary exploit components. Overall, this is a compact standalone PoC/test harness intended to demonstrate and exercise an HTTP-delivered OS command injection scenario against a FortiSandbox-like VNC start API.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
71 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A previously disclosed critical OS command injection vulnerability in FortiSandbox mentioned for background comparison.
A previously addressed critical OS command injection vulnerability in FortiSandbox mentioned only as background context alongside the main disclosure.
A critical unauthenticated command injection vulnerability affecting FortiSandbox products.
A FortiSandbox command injection vulnerability that allows unauthenticated code execution directly on the appliance.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.