CVE-2025-53949
published 2025-12-09CVE-2025-53949: An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox…
PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
15.54%
96.4th percentile
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet | — | — |
| fortinet | fortisandbox | — | — |
| fortinet | fortisandbox | 4.0.0 – 4.0.6 | — |
| fortinet | fortisandbox | 4.2.0 – 4.2.8 | — |
| fortinet | fortisandbox | 4.2.1 – 4.2.8 | — |
| fortinet | fortisandbox | 4.4.0 – 4.4.7 | — |
| fortinet | fortisandbox | 5.0.0 – 5.0.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for authenticated HTTP requests to FortiSandbox endpoints containing OS command injection payloads (special shell metacharacters such as ;, |, &&, $(), backticks) in HTTP request parameters ↗
- →Vulnerability affects multiple endpoints on FortiSandbox — audit all HTTP-accessible API/UI endpoints for unsanitized input passed to OS commands ↗
- →Scope detection to authenticated sessions targeting FortiSandbox versions 5.0.0–5.0.2, 4.4.0–4.4.7, 4.2 all versions, and 4.0 all versions ↗
- ·Exploitation requires an authenticated attacker — enforce strong authentication controls, MFA, and least-privilege access to the FortiSandbox management interface to reduce attack surface ↗
- ·The vulnerability spans multiple endpoints, meaning a single WAF/IPS rule targeting one endpoint may be insufficient; broad coverage across all FortiSandbox HTTP endpoints is required ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g5pp-f223-r98m: An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSa
ghsa_unreviewed·2025-12-09
CVE-2025-53949 [HIGH] CWE-78 GHSA-g5pp-f223-r98m: An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSa
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests.
Fortinet
OS command injection in multiple endpoints
vendor_fortinet·2025-12-09·CVSS 7.2
CVE-2025-53949 [HIGH] CWE-78 OS command injection in multiple endpoints
FG-IR-25-479: OS command injection in multiple endpoints
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests.
CVEs: CVE-2025-53949
CWEs: CWE-78
CVSS: 7.2 (high)
Affected products: FortiSandbox, Fortinet
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-12-09
Published