Fortinet and Ivanti on Tuesday rolled out fixes for multiple vulnerabilities in their products, including critical-severity OS command injection flaws.
Fortinet published three advisories describing security defects in FortiSandbox, FortiOS, FortiProxy, and FortiPortal.
The most severe of the three bugs is CVE-2026-25089 (CVSS score of 9.8), an OS command injection issue impacting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI.
Remote, unauthenticated attackers could exploit the weakness via specially crafted HTTP requests to execute arbitrary commands on vulnerable appliances, the company’s advisory reads.
Patches for the CVE were included in FortiSandbox 5.0.6 and 4.4.9, FortiSandbox Cloud 5.0.6, and FortiSandbox PaaS 5.0.6.
