CVE-2025-53949
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-09
Assigner: Fortinet, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fortinet | fortisandbox | 4.4.1 |
| fortinet | fortisandbox | 4.2 |
| fortinet | fortisandbox | 4.4.3 |
| fortinet | fortisandbox | 5.0.0 |
| fortinet | fortisandbox | 4.4.0 |
| fortinet | fortisandbox | 5.0.1 |
| fortinet | fortisandbox | 5.0.2 |
| fortinet | fortisandbox | 4.4.2 |
| fortinet | fortisandbox | 4.4.4 |
| fortinet | fortisandbox | 4.4.5 |
| fortinet | fortisandbox | 4.4.7 |
| fortinet | fortisandbox | 4.4.6 |
| fortinet | fortisandbox | 4.0 |
| fortinet | fortisandbox | From 5.0.0 (inc) to 5.0.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an OS Command Injection in Fortinet FortiSandbox versions 4.0 through 5.0.2. It allows an authenticated attacker to execute unauthorized commands on the underlying system by sending specially crafted HTTP requests. This happens because the software does not properly neutralize special elements in OS commands, leading to potential execution of malicious code.
How can this vulnerability impact me? :
The vulnerability can allow an attacker with authentication to execute arbitrary code on the system, potentially leading to full system compromise. This can result in unauthorized access, data theft, disruption of services, or further attacks within the network.