Home · Briefs · CTI Daily Brief — 2026-06-12

CVE-2026-25089 — Fortinet FortiSandbox: unauthenticated OS command injection in the web UI's VNC-launch handler (CVSS 9.8)

From CTI Daily Brief — 2026-06-12 · published 2026-06-12

Fortinet patched CVE-2026-25089 (CWE-78, internal reference FG-IR-26-141) on 9 June: the FortiSandbox web interface's "start VNC" handler passes attacker-controlled JSON to the underlying OS without sanitisation, allowing a remote unauthenticated attacker to achieve second-order command injection via a crafted HTTP request (NCSC-NL, 2026-06-11). Affected: FortiSandbox 5.0.0–5.0.5 and 4.4.0–4.4.8 (plus corresponding Cloud/PaaS builds); fixed in 5.0.6 and 4.4.9. CCB Belgium urges immediate patching and warns that the public availability of a proof-of-concept exploit increases the likelihood of exploitation (CCB Belgium, 2026-06-11). No in-the-wild exploitation is reported, and the management interface is not meant to be internet-reachable — but with a public PoC available, a compromised FortiSandbox hands an attacker every file your SOC submits for detonation, plus a trusted foothold inside the security stack (T1190). Discovered internally by Fortinet's product-security team; the FortiGuard PSIRT page was unreachable in this run (see § 7).

CVE Summary Table

CVE	Product	CVSS	EPSS	KEV	Exploited	Patch	Source
CVE-2026-35273	Oracle PeopleSoft PeopleTools 8.61/8.62 (PSEMHUB)	9.8	n/a	No	Yes — zero-day, UNC6240	Out-of-band alert 2026-06-10	Oracle
CVE-2026-49261	MariaDB Server (Galera `wsrep_notify_cmd`)	10.0	n/a	No	No	11.8.8 / 11.4.12 / 10.11.18 / 10.6.27	NCSC-CH
CVE-2026-45657	Windows kernel (TCP/IP)	9.8	n/a	No	No	June 2026 cumulative	MSRC
CVE-2026-26142	Nuance PowerScribe	9.8	n/a	No	No	June 2026 update	MSRC
CVE-2026-47643	Azure Stack Edge	9.8	n/a	No	No	June 2026 update	MSRC
CVE-2026-48579	Exchange Online	9.1	n/a	No	No	Service-side, no customer action	MSRC
CVE-2026-25089	Fortinet FortiSandbox	9.8	n/a	No	PoC public	5.0.6 / 4.4.9	NCSC-NL