Multiple Critical Vulnerabilities Disclosed in Fortinet FortiSandbox and FortiWeb Products
Fortinet has addressed several critical vulnerabilities affecting its FortiSandbox and FortiWeb products, with public advisories and technical details released on December 16, 2025. The most severe issues impact FortiSandbox, where multiple command injection vulnerabilities (CVE-2025-53949) allow authenticated attackers to execute arbitrary code as root via the admindel_confirm, name, and upload_vdi_file parameters. Additionally, a cross-site scripting vulnerability (CVE-2025-54353) in the hcproxy component could enable remote code execution with minimal user interaction. Fortinet has released patches for these flaws, and users are strongly advised to update affected systems immediately.
For FortiWeb, a critical authentication bypass vulnerability (CVE-2025-64447) was disclosed, stemming from improper verification of cryptographic signatures in the ApacheCookie_parse method, allowing unauthenticated attackers to gain access. These disclosures follow recent reports of active exploitation of a separate FortiWeb vulnerability (CVE-2025-64446), which enables unauthenticated attackers to create rogue administrator accounts and fully compromise exposed devices. Organizations using FortiWeb and FortiSandbox should review the official advisories and apply the recommended mitigations to prevent exploitation.
Timeline
Dec 16, 2025
Technical details of FortiWeb exploit chain are publicly documented
By 2025-12-16, public reporting described how CVE-2025-64446 chained path traversal and authentication bypass issues to reach sensitive CGI scripts and impersonate administrators. Defenders were advised to look for suspicious POST requests, unexpected admin accounts, and anomalous logs.
Dec 16, 2025
CISA orders federal agencies to remediate exploited FortiWeb flaw
Following confirmation of active exploitation of CVE-2025-64446, CISA mandated remediation for U.S. federal agencies. The order reflected the risk posed by global scanning and exploitation campaigns targeting vulnerable FortiWeb devices.
Dec 16, 2025
Fortinet releases fixes and public advisories for FortiWeb and FortiSandbox flaws
On 2025-12-16, Fortinet released updates and coordinated public advisories covering FortiWeb vulnerabilities CVE-2025-64446 and CVE-2025-64447, as well as FortiSandbox vulnerabilities including CVE-2025-53949 and CVE-2025-54353. The advisories urged customers to apply patches immediately due to the severity of the issues.
Oct 10, 2025
FortiWeb auth bypass CVE-2025-64447 reported to Fortinet
Jason McFadyen of Trend Research reported the FortiWeb authentication bypass vulnerability CVE-2025-64447 to Fortinet on 2025-10-10. The issue involved improper verification of a cryptographic signature and could let remote attackers bypass authentication without user interaction.
Oct 1, 2025
Attackers begin exploiting FortiWeb CVE-2025-64446 in the wild
Active exploitation of FortiWeb path traversal vulnerability CVE-2025-64446 began in October 2025, according to reporting cited by watchTowr Labs and confirmed by Fortinet. The flaw allowed unauthenticated attackers to create rogue administrator accounts and take full control of affected devices.
May 1, 2025
FortiSandbox RCE flaws reported to Fortinet
Jason McFadyen of Trend Research reported FortiSandbox command injection vulnerabilities later assigned CVE-2025-53949 to Fortinet in May 2025. The flaws affected multiple endpoints and could allow authenticated attackers to execute code as root.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
1 more from sources like zdi published advisories
Related Stories
Multiple Critical Vulnerabilities in Fortinet Security Products
Fortinet has disclosed several high-severity vulnerabilities affecting its security product lines, including FortiWeb, FortiVoice, and FortiSandbox. Notable issues include a cookie forgery vulnerability in FortiWeb (CVE-2025-64447) that allows unauthenticated attackers to execute arbitrary operations via forged cookies, provided they know the device's serial number, and an improper verification of cryptographic signatures in FortiWeb (CVE-2025-59719) that enables unauthenticated attackers to bypass FortiCloud SSO login authentication using crafted SAML responses. Additionally, FortiVoice is impacted by a path traversal vulnerability (CVE-2025-60024) permitting privileged authenticated attackers to write arbitrary files, and FortiSandbox suffers from an OS command injection flaw (CVE-2025-53949) that allows authenticated attackers to execute unauthorized code on the underlying system through crafted HTTP requests. All vulnerabilities are remotely exploitable and have been assigned high or critical CVSS scores, with the FortiWeb authentication bypass rated as critical (CVSS 9.8/10). Fortinet has released security advisories and patches for the affected versions, urging customers to update their systems promptly to mitigate the risk of exploitation. Security researchers and vendors have highlighted the urgency of these patches due to the potential for unauthenticated remote attacks and the critical role these products play in enterprise security architectures.
1 months ago
Critical FortiSandbox API Flaws Enable Unauthenticated Command Execution
Fortinet disclosed two critical vulnerabilities in **FortiSandbox** that allow remote, unauthenticated attackers to compromise exposed appliances through crafted HTTP requests. **`CVE-2026-39808`** is an OS command injection flaw in the FortiSandbox API that can lead to unauthorized command or code execution, while **`CVE-2026-39813`** is a path traversal issue in the JRPC API that can bypass authentication and enable privilege escalation. Both issues carry a **CVSS v3 score of 9.1**. The flaws affect **FortiSandbox 4.4.0 through 4.4.8**, and **`CVE-2026-39813`** also impacts **5.0.0 through 5.0.5**. Fortinet released fixes in **4.4.9** for both vulnerabilities and **5.0.6** for the JRPC issue, and said it had not observed exploitation in the wild at the time of disclosure. Organizations were urged to patch immediately, review internet-exposed deployments, and restrict API access to trusted networks until upgrades are completed.
2 weeks ago
Fortinet Discloses Critical Command Injection and SQL Injection Flaws
Fortinet disclosed two high-severity vulnerabilities affecting **FortiSandbox** and **FortiDDoS-F**, both of which could allow unauthorized code or command execution. **CVE-2026-39808** is an OS command injection flaw in FortiSandbox versions `4.4.0` through `4.4.8`, mapped to `CWE-78`, with a `CVSS 3.1` vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`, indicating remote exploitation without authentication and high impact across confidentiality, integrity, and availability. Fortinet also disclosed **CVE-2026-39815**, an SQL injection vulnerability in FortiDDoS-F versions `7.2.1` through `7.2.2`, mapped to `CWE-89`. The flaw requires low privileges but may likewise enable unauthorized code or command execution, and carries a `CVSS 3.1` vector of `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`. The issues are tracked in Fortinet advisories **FG-IR-26-100** and **FG-IR-26-119**, respectively, expanding the vendor's latest set of appliance security fixes.
2 weeks ago