CVE-2026-25089: FortiSandbox unauthenticated command injection added to CISA KEV

Fortinet gets roasted as yet another break-in bug sends admins into full panic mode

TLDR: A newly exploited Fortinet bug lets attackers break into a security system without a password, and U.S. agencies have days to fix it. Commenters are split between roasting Fortinet for another public mess and blaming admins who leave management tools too exposed.

The security crowd did not take this one quietly. News that a serious FortiSandbox bug was added to CISA’s Known Exploited Vulnerabilities list sparked the usual mix of panic, sarcasm, and exhausted déjà vu. In plain English: this is a flaw that can let outsiders run commands on a company security box without even logging in, and commenters immediately zeroed in on the irony of a security product becoming the threat. The loudest reaction? A brutal chorus of “how is this happening again?” because this is now the third FortiSandbox flaw reportedly exploited in the wild in just two months.

The comment sections turned into a full-blown blame festival. Some users slammed Fortinet over the repeat hits, joking that the company’s patch notes now read like a TV series with weekly episodes. Others pushed back, saying internet-facing management panels are the real villain and that admins who expose these tools are basically "speedrunning a breach." Then came the score drama: people even argued over whether the severity rating should be 9.8 or 9.1, with the general public response being, essentially, “if strangers can break in without a password, who cares about the decimal fight?”

The jokes were merciless. Memes compared FortiSandbox to a sandcastle in a hurricane, and one running gag was that the “start VNC” feature really meant “start very nasty compromise.” Behind the snark, though, the anxiety is real: because other Fortinet products trust FortiSandbox’s decisions, commenters warned this could ripple through entire security setups if companies don’t patch fast.

Key Points

  • CVE-2026-25089 is an unauthenticated OS command injection vulnerability in the FortiSandbox web UI, specifically tied to the "start VNC" feature.
  • Fortinet’s CNA record scores the flaw at CVSS 9.8, while Fortinet’s PSIRT advisory lists 9.1; NVD had not issued an independent score.
  • CISA added CVE-2026-25089 to the KEV catalog on July 16, 2026, after exploitation attempts were reported since mid-June.
  • Affected versions include multiple FortiSandbox, Cloud, and PaaS releases; fixed versions begin at 4.4.9 and 5.0.6 depending on product line.
  • The article says this is the third FortiSandbox vulnerability exploited in the wild in 2026 and provides exposure and investigation steps using ports, HTTP headers, TLS certificates, and DNS.

Hottest takes

"A security appliance that needs security from itself" — packetmancer
"At this point FortiSandbox is just FortiDoorbell for attackers" — rootwyrm
"9.8 versus 9.1 is the most divorced-from-reality argument imaginable" — hexadecimate
Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.