TL;DR

CISA has officially added CVE-2026-25089, a severe unauthenticated command injection flaw in FortiSandbox, to its KEV list. This marks a significant security concern for organizations using the product, with active exploitation reported.

The Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2026-25089, a critical unauthenticated command injection vulnerability in FortiSandbox, to its Known Exploited Vulnerabilities (KEV) list. This inclusion confirms active exploitation of the flaw, which poses a significant risk to organizations relying on FortiSandbox for security operations.

CVE-2026-25089 affects FortiSandbox, a security product used for threat detection and analysis. The vulnerability allows attackers to execute arbitrary commands on vulnerable systems without authentication, potentially leading to remote code execution and system compromise.

According to CISA, the flaw has been exploited in the wild, prompting urgent advisories for organizations to apply patches or mitigations. The vulnerability was identified by Fortinet and publicly disclosed in early March 2026, with details about the specific technical flaws still under review. You can learn more about CVE-2026-25089.

Fortinet has issued security updates addressing the flaw, but some users have yet to implement the patches, increasing the risk of compromise. Stay informed about other critical vulnerabilities like CVE-2026-39808. The vulnerability’s addition to the KEV underscores its severity and the need for immediate action by affected entities.

At a glance
updateWhen: announced March 2026, ongoing developme…
The developmentCISA has included the FortiSandbox vulnerability CVE-2026-25089 in its KEV list, confirming active exploitation and emphasizing the urgency for affected users.

Implications of CVE-2026-25089 for Enterprises

The inclusion of CVE-2026-25089 in the CISA KEV list highlights its critical nature and active exploitation. Organizations using FortiSandbox are at increased risk of remote compromise, data breaches, and potential lateral movement within networks. This vulnerability’s severity emphasizes the importance of timely patching and heightened security monitoring to prevent exploitation.

Fortinet FortiWeb-VM04 License 1 YR FortiSandbox Cloud FC-10-VVM04-123-02-12

Fortinet FortiWeb-VM04 License 1 YR FortiSandbox Cloud FC-10-VVM04-123-02-12

One-year license for FortiWeb-VM04 with FortiSandbox Cloud service support.

Part NumberFC-10-VVM04-123-02-12
Service Duration1 Year
Service TypeFortiSandbox Cloud

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Background and Timeline of FortiSandbox Vulnerability

FortiSandbox, developed by Fortinet, is widely used in enterprise environments for threat detection and analysis. The vulnerability CVE-2026-25089 was discovered by Fortinet security researchers and disclosed publicly in early March 2026. Exploitation reports emerged shortly after, prompting CISA to review the threat and include it in the KEV list.

This vulnerability joins a series of recent security issues affecting Fortinet products, reflecting ongoing challenges in managing complex security infrastructure. The flaw specifically involves unauthenticated command injection, a critical weakness that allows remote attackers to execute arbitrary commands on affected systems.

Fortinet has released patches, but the rapid emergence of exploitation underscores the need for organizations to prioritize updates and review their security policies.

“The addition of CVE-2026-25089 to the KEV list indicates active exploitation and underscores the urgency for affected organizations to apply security updates.”

— CISA spokesperson

Details of Exploitation and Technical Scope Still Unclear

While CISA confirms active exploitation, specific details about the attack vectors, scope, and affected versions of FortiSandbox are still emerging. It is not yet clear how widespread the exploitation is or whether specific threat actors are involved.

Further technical analysis from Fortinet and security researchers is awaited to fully understand the exploit mechanics and potential impact.

Expected Security Advisories and Patches in the Coming Days

Organizations should monitor updates from Fortinet regarding CVE-2026-25089, including security patches and mitigation guidance. It is anticipated that Fortinet will release additional advisories as more details about the exploitation become available.

Security teams are advised to review their systems, apply patches promptly, and enhance monitoring for signs of exploitation or abnormal activity related to FortiSandbox.

Key Questions

What is CVE-2026-25089?

CVE-2026-25089 is a critical security vulnerability in FortiSandbox that allows unauthenticated command injection, potentially enabling remote attackers to execute arbitrary commands on affected systems.

Why has CISA added this vulnerability to its KEV list?

CISA added CVE-2026-25089 to the KEV list because it is actively exploited in the wild, posing a significant risk to organizations using FortiSandbox.

What should organizations do now?

Organizations should prioritize applying security patches from Fortinet, review their security configurations, and monitor for signs of exploitation.

Are there known exploits in the wild?

Yes, CISA confirms that active exploitation has been observed, but specific details about the scope and actors are still emerging.

Will there be further updates?

Yes, expect additional advisories from Fortinet and security agencies as more information becomes available about the exploit and mitigation strategies.

Source: hn

You May Also Like

Anthropic, please ship an official Claude Desktop for Linux

A community request urges Anthropic to publish an official Linux version of Claude Desktop, addressing current reliance on unofficial, insecure workarounds.

New Serious Vulnerabilities Spiked Around Release Of Claude Mythos Preview

Multiple critical security flaws were identified coinciding with the release of Claude Mythos Preview, raising concerns over AI safety and security.

Since Linux 6.9, LUKS Suspend Stopped Wiping Disk-encryption Keys From Memory

Linux 6.9 introduces a change where suspend no longer wipes disk encryption keys from memory, raising security concerns.

CVE-2026-48939: iCagenda Unrestricted Upload Of File With Dangerous Type Vulnerability Actively Exploited (CISA KEV)

A critical vulnerability in iCagenda allows unrestricted upload of malicious files, actively exploited and posing serious security risks.