Critical Patch Alert: FortiSandbox RCE (CVE-2026-25089), Ivanti & SAP Updates
Hey team,
Just catching up on the latest releases, and it looks like a busy week for patching. The big headline is CVE-2026-25089 in Fortinet products. We're looking at a command injection vulnerability in the FortiSandbox WEB UI (affecting Cloud and PaaS versions too) with a CVSS score of 9.1.
Since sandboxes often sit in a trusted position to detonate malware, an RCE here is a nightmare pivot point. Ivanti and SAP also released updates, but that 9.1 score on Fortinet feels like the urgent "drop everything" item.
Mitigation & Detection If you can't patch instantly, lock down that Web UI to specific source IPs immediately. For detection, watch for suspicious characters in URI parameters or processes spawned by the web server that shouldn't be there.
Here is a basic KQL snippet to help hunt for potential command injection attempts in your proxy or firewall logs:
DeviceProduct contains "Fortinet"
| where HttpRequestUri has_any (";", "|", "&&", "`") or UrlPath has_any (";", "|", "&&", "`")
| project TimeGenerated, SrcIpAddr, DstIpAddr, HttpRequestUri, HttpStatusCode
| order by TimeGenerated desc
Ivanti and SAP also put out fixes for arbitrary code execution flaws, so don't sleep on those if you have them in your environment.
Discussion: How is everyone handling the patching cadence for appliances like FortiSandbox? Do you stage these in a lab first, or with a CVSS 9.1, do you push immediately to prod and hope for the best?
Don't forget Ivanti. They've had a rough year with CVEs. If you are using their Endpoint Manager (EPM), make sure you validate the patch specifically for the remote code execution vector. We saw some attempted exploitation on our honeypots last night targeting the authentication bypass that led to this.
If you are doing threat hunting, check for abnormal user agent strings in your IIS logs if these appliances are reverse-proxied.
Great point on the pivot potential. If a sandbox gets owned, the attacker trusts the files coming out of it.
For those who can't patch immediately, consider segmenting the management VLAN. Here is a snippet to check current running version on FortiGate/Sandbox via SSH to ensure you aren't running an affected build:
get system status | grep Version
Always verify the build number against the advisory, not just the major version.
Solid advice on segmentation, Marcus. To complement that, you should hunt for the exploit attempt itself. Since this is a command injection issue, keep an eye out for the web server spawning unexpected shells.
If you have telemetry forwarded to a SIEM, try a query like this to spot the breakout early:
DeviceProcessEvents
| where InitiatingProcessFileName has "nginx"
| where ProcessFileName in~ ("sh", "bash", "perl", "python")
To complement the hunting advice, don't forget to check ingress logs for the specific encoding often used in command injection attempts. If you're forwarding FortiSandbox logs to a central server, grepping for encoded special characters is a quick way to catch obfuscated payloads.
grep -E "%7C|%60|%3B" /var/log/sandbox/access.log
This helps identify encoded pipes, backticks, or semicolons before they hit the interpreter.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access