#VU107353 OS Command Injection in FortiSandbox - CVE-2024-27778
Published: April 10, 2025
Vulnerability identifier: #VU107353
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-27778
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
FortiSandbox
FortiSandbox
Software vendor:
Fortinet, Inc
Fortinet, Inc
Description
The vulnerability allows a remote authenticated user to execute arbitrary code.
The vulnerability exists due to improper neutralization of special elements used in an os command ('os command injection'). An authenticated attacker with at least read-only permission can execute unauthorized commands via crafted requests.
Remediation
Install update from vendor's website.