OS Command Injection in FortiSandbox
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-27778 |
| CWE-ID | CWE-78 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
FortiSandbox Server applications / DLP, anti-spam, sniffers |
| Vendor | Fortinet, Inc |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) OS Command Injection
EUVDB-ID: #VU107353
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-27778
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to execute arbitrary code.
The vulnerability exists due to improper neutralization of special elements used in an os command ('os command injection'). An authenticated attacker with at least read-only permission can execute unauthorized commands via crafted requests.
MitigationInstall update from vendor's website.
Vulnerable software versionsFortiSandbox: 3.0.5 - 4.4.4
CPE2.3- cpe:2.3:a:fortinet:fortisandbox:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:fortinet:fortisandbox:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:fortinet:fortisandbox:3.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:fortinet:fortisandbox:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:fortinet:fortisandbox:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:fortinet:fortisandbox:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:fortinet:fortisandbox:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:fortinet:fortisandbox:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:fortinet:fortisandbox:3.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:fortinet:fortisandbox:3.2.0:*:*:*:*:*:*:*
https://www.fortiguard.com/psirt/FG-IR-24-061
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
