CVE-2026-25089 is a CVSS 9.8 unauthenticated OS command injection flaw in Fortinet FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS, allowing a network-adjacent attacker to execute arbitrary OS commands without credentials. The 83.7th-percentile EPSS score indicates elevated exploitation probability, and the vulnerability is not yet in CISA KEV — meaning defensive attention may lag the actual risk level. Emergency patching is required for on-premises affected versions.