Impact
Fortinet FortiSandbox versions 4.4.0 to 4.4.8 contain an OS command injection flaw (CWE‑78). The flaw originates when the sandbox service accepts unvalidated parameters that are passed directly to the operating system, enabling an attacker to execute arbitrary code on the host. This can compromise the sandbox itself and potentially lead to loss of confidentiality, integrity, and availability.
Affected Systems
The vulnerability affects FortiSandbox 4.4.0 through 4.4.8 and FortiSandbox PaaS releases through 23.4.4374. All deployments running any of those builds are vulnerable and must be remediated.
Risk and Exploitability
The flaw has a CVSS base score of 9.1, indicating critical severity. EPSS score of 49% reflects a moderate to high likelihood of exploitation today, and the vulnerability is not listed in CISA KEV. Based on the description, it is inferred that the attack vector is external, likely through the sandbox ingestion API or user interface that accepts files, allowing an attacker to supply malicious input that is passed to the operating system.
OpenCVE Enrichment