FortiSandbox-Schwachstelle ermöglicht Angreifern unbefugte Befehle

The vulnerability stems from an improper neutralization of special elements used in an OS command (CWE-78) commonly known as OS command injection present in the FortiSandbox Web UI. requests, a remote, unauthenticated attacker can exploit this flaw to execute unauthorized commands on the underlying system.

Because no authentication is required to trigger the vulnerability, the attack complexity is low, and the potential blast radius is significant. Successful exploitation can result in the full compromise of the affected system’s confidentiality, integrity, and availability, which explains its near-maximum CVSS score.

The advisory was discovered and reported internally Fortinet’s Product Security team and published on June 9, 2026, under the internal reference FG-IR-26-141. Affected Versions and Fixes The vulnerability impacts the following product versions: FortiSandbox: Affected Versions: 5.0.0 – 5.0.5; Fix: Upgrade to 5.0.6 or above.

Technischer Hintergrund

FortiSandbox: Affected Versions: 4.4.0 – 4.4.8; Fix: Upgrade to 4.4.9 or above. FortiSandbox Cloud: Affected Versions: 5.0.4 – 5.0.5; Fix: Upgrade to 5.0.6 or above. FortiSandbox PaaS: Affected Versions: 5.0.4 – 5.0.5; Fix: Upgrade to 5.0.6 or above.

FortiSandbox 5.2, FortiSandbox Cloud 4.4, FortiSandbox Cloud 5.2, FortiSandbox PaaS 4.4, FortiSandbox PaaS 5.2, and FortiSandbox PaaS 23.4 are not affected are currently no reports of active exploitation in the wild, the unauthenticated nature of this attack vector makes it a high-priority target for threat actors.

FortiSandbox is widely deployed in enterprise environments as a malware analysis and threat detection platform, meaning a successful compromise could undermine an organization’s entire threat detection pipeline, giving attackers a strategic foothold.

Recommended Actions Security teams are strongly advised to take the following steps immediately: Upgrade affected FortiSandbox installations to version 5.0.6 or 4.4.9 or above Restrict web UI access to trusted IP ranges as a temporary mitigation Monitor logs for anomalous HTTP requests targeting the FortiSandbox web interface Review Fortinet’s official advisory at the Fortinet PSIRT portal for further guidance Organizations still running any affected 4.4.9 or 5.0.6 builds should treat this as an urgent patching priority given the critical severity and zero-authentication requirement.