CVE-2025-53949

Name of the Vulnerable Software and Affected Versions Fortinet FortiSandbox versions 4.0 all versions Fortinet FortiSandbox versions 4.2 all versions Fortinet FortiSandbox versions 4.4.0 through 4.4.7 Fortinet FortiSandbox versions 5.0.0 through 5.0.2

Description The Fortinet FortiSandbox software contains an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') issue. This allows an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests. The issue affects multiple areas, including the upload vdi file functionality, the name parameter, and the admindel confirm parameter. The vulnerability is triggered by crafted HTTP requests. The name parameter and upload vdi file are specifically identified as points of exploitation.

Recommendations Fortinet FortiSandbox version 4.0 all versions: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Fortinet FortiSandbox version 4.2 all versions: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Fortinet FortiSandbox versions 4.4.0 through 4.4.7: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Fortinet FortiSandbox versions 5.0.0 through 5.0.2: At the moment, there is no information about a newer version that contains a fix for this vulnerability.