FORTINET: ▶️ Critical Second-Order OS Command Injection in FortiSandbox Web UI

FORTINET Security Advisory

Published Date: June 9, 2026

Advisory Summary

Fortinet has disclosed a severe security vulnerability (CVSSv3 score 9.1) affecting FortiSandbox, including FortiSandbox Cloud and PaaS Web UI versions. This flaw stems from improper neutralization of OS command elements (CWE-78), leading to a second-order OS command injection risk. Exploitation can allow unauthenticated attackers to execute arbitrary unauthorized OS commands via specially crafted HTTP requests targeting the “start vnc” feature.

This vulnerability severely compromises the integrity and security of FortiSandbox deployments, which are critical for advanced threat analysis and sandboxing in enterprise environments. Immediate patching or mitigation is strongly advised to prevent potential exploitation.

• Prioritize updating FortiSandbox systems to the latest patched versions.
• Audit web access logs for suspicious HTTP requests to detect potential exploitation attempts.
• Network-segment FortiSandbox interfaces and limit exposure to trusted users and IPs.

Staying proactive in vulnerability management will safeguard critical infrastructure against growing OS command injection threats.

🔗

Reference: Vendor Advisory