cbcvebase.
CVE-2025-53949
published 2025-12-09

CVE-2025-53949: An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox…

PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
15.54%
96.4th percentile
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests.

Affected

7 ranges
VendorProductVersion rangeFixed in
fortinetfortinet
fortinetfortisandbox
fortinetfortisandbox4.0.0 – 4.0.6
fortinetfortisandbox4.2.0 – 4.2.8
fortinetfortisandbox4.2.1 – 4.2.8
fortinetfortisandbox4.4.0 – 4.4.7
fortinetfortisandbox5.0.0 – 5.0.2

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for authenticated HTTP requests to FortiSandbox endpoints containing OS command injection payloads (special shell metacharacters such as ;, |, &&, $(), backticks) in HTTP request parameters
  • Vulnerability affects multiple endpoints on FortiSandbox — audit all HTTP-accessible API/UI endpoints for unsanitized input passed to OS commands
  • Scope detection to authenticated sessions targeting FortiSandbox versions 5.0.0–5.0.2, 4.4.0–4.4.7, 4.2 all versions, and 4.0 all versions
  • ·Exploitation requires an authenticated attacker — enforce strong authentication controls, MFA, and least-privilege access to the FortiSandbox management interface to reduce attack surface
  • ·The vulnerability spans multiple endpoints, meaning a single WAF/IPS rule targeting one endpoint may be insufficient; broad coverage across all FortiSandbox HTTP endpoints is required
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.