Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Critical Vulnerability in Fortinet FortiSandbox

12 June 2026

Attackers can exploit a critical vulnerability in Fortinet FortiSandbox via HTTP requests to execute unauthorised commands on the affected system. Patch immediately.

Background

Fortinet has released security updates to address a critical OS command injection vulnerability (CVE-2026-25089) affecting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. This vulnerability has a Common Vulnerability Scoring System (CVSS v3.1) score of 9.1 out of 10.

Impact

Due to improper neutralisation of special elements used in OS commands in the FortiSandbox Web UI, an unauthenticated attacker could send specially crafted HTTP requests to execute unauthorised commands on the affected system.

Affected Products

These vulnerabilities affect the following Fortinet FortiSandbox products and versions:

  • All versions of FortiSandbox 4.2

  • FortiSandbox versions 4.4.0 through 4.4.8

  • FortiSandbox versions 5.0.0 through 5.0.5

  • FortiSandbox Cloud versions 5.0.4 through 5.0.5

  • FortiSandbox PaaS versions 5.0.4 through 5.0.5

Mitigation

Users and administrators of affected products are advised to update to the latest versions immediately.

References

https://fortiguard.fortinet.com/psirt/FG-IR-26-141

https://nvd.nist.gov/vuln/detail/CVE-2026-25089

Back to top