TL;DR
CISA has officially added CVE-2026-25089, a severe unauthenticated command injection flaw in FortiSandbox, to its KEV list. This marks a significant security concern for organizations using the product, with active exploitation reported.
The Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2026-25089, a critical unauthenticated command injection vulnerability in FortiSandbox, to its Known Exploited Vulnerabilities (KEV) list. This inclusion confirms active exploitation of the flaw, which poses a significant risk to organizations relying on FortiSandbox for security operations.
CVE-2026-25089 affects FortiSandbox, a security product used for threat detection and analysis. The vulnerability allows attackers to execute arbitrary commands on vulnerable systems without authentication, potentially leading to remote code execution and system compromise.
According to CISA, the flaw has been exploited in the wild, prompting urgent advisories for organizations to apply patches or mitigations. The vulnerability was identified by Fortinet and publicly disclosed in early March 2026, with details about the specific technical flaws still under review. You can learn more about CVE-2026-25089.
Fortinet has issued security updates addressing the flaw, but some users have yet to implement the patches, increasing the risk of compromise. Stay informed about other critical vulnerabilities like CVE-2026-39808. The vulnerability’s addition to the KEV underscores its severity and the need for immediate action by affected entities.
Implications of CVE-2026-25089 for Enterprises
The inclusion of CVE-2026-25089 in the CISA KEV list highlights its critical nature and active exploitation. Organizations using FortiSandbox are at increased risk of remote compromise, data breaches, and potential lateral movement within networks. This vulnerability’s severity emphasizes the importance of timely patching and heightened security monitoring to prevent exploitation.
Fortinet FortiWeb-VM04 License 1 YR FortiSandbox Cloud FC-10-VVM04-123-02-12

One-year license for FortiWeb-VM04 with FortiSandbox Cloud service support.
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background and Timeline of FortiSandbox Vulnerability
FortiSandbox, developed by Fortinet, is widely used in enterprise environments for threat detection and analysis. The vulnerability CVE-2026-25089 was discovered by Fortinet security researchers and disclosed publicly in early March 2026. Exploitation reports emerged shortly after, prompting CISA to review the threat and include it in the KEV list.
This vulnerability joins a series of recent security issues affecting Fortinet products, reflecting ongoing challenges in managing complex security infrastructure. The flaw specifically involves unauthenticated command injection, a critical weakness that allows remote attackers to execute arbitrary commands on affected systems.
Fortinet has released patches, but the rapid emergence of exploitation underscores the need for organizations to prioritize updates and review their security policies.
“The addition of CVE-2026-25089 to the KEV list indicates active exploitation and underscores the urgency for affected organizations to apply security updates.”
— CISA spokesperson
Details of Exploitation and Technical Scope Still Unclear
While CISA confirms active exploitation, specific details about the attack vectors, scope, and affected versions of FortiSandbox are still emerging. It is not yet clear how widespread the exploitation is or whether specific threat actors are involved.
Further technical analysis from Fortinet and security researchers is awaited to fully understand the exploit mechanics and potential impact.
Expected Security Advisories and Patches in the Coming Days
Organizations should monitor updates from Fortinet regarding CVE-2026-25089, including security patches and mitigation guidance. It is anticipated that Fortinet will release additional advisories as more details about the exploitation become available.
Security teams are advised to review their systems, apply patches promptly, and enhance monitoring for signs of exploitation or abnormal activity related to FortiSandbox.
Key Questions
What is CVE-2026-25089?
CVE-2026-25089 is a critical security vulnerability in FortiSandbox that allows unauthenticated command injection, potentially enabling remote attackers to execute arbitrary commands on affected systems.
Why has CISA added this vulnerability to its KEV list?
CISA added CVE-2026-25089 to the KEV list because it is actively exploited in the wild, posing a significant risk to organizations using FortiSandbox.
What should organizations do now?
Organizations should prioritize applying security patches from Fortinet, review their security configurations, and monitor for signs of exploitation.
Are there known exploits in the wild?
Yes, CISA confirms that active exploitation has been observed, but specific details about the scope and actors are still emerging.
Will there be further updates?
Yes, expect additional advisories from Fortinet and security agencies as more information becomes available about the exploit and mitigation strategies.
Source: hn