Fortinet Discloses Critical Authentication Bypass and Privilege Escalation in FortiSandbox
Fortinet has disclosed a critical path traversal vulnerability in FortiSandbox's JRPC API that allows unauthenticated attackers to bypass authentication and escalate privileges.
Fortinet on April 14 disclosed a critical vulnerability in its FortiSandbox appliance that could allow an unauthenticated attacker to bypass authentication and escalate privileges. The flaw, tracked as FG-IR-26-112, resides in the JRPC API and is caused by a path traversal weakness (CWE-24). With a CVSSv3 score of 9.1, the vulnerability is rated critical, though Fortinet has not yet released a detailed technical analysis or proof-of-concept exploit code.
The vulnerability affects FortiSandbox versions 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8. FortiSandbox 5.2 and 4.2 are not impacted. The advisory notes that an attacker can send specially crafted HTTP requests to the JRPC API to bypass authentication entirely, potentially gaining unauthorized access to the appliance and then escalating privileges to take full control.
Fortinet credited Loic Pantano of the Fortinet PSIRT team for internally discovering and reporting the vulnerability. The company has released patches for both affected version branches: users should upgrade to FortiSandbox 5.0.6 or above, or 4.4.9 or above. No workarounds or mitigations were provided for customers unable to patch immediately.
This disclosure comes amid a busy patch cycle for Fortinet. Earlier in April, the company addressed critical remote code execution flaws in FortiAuthenticator and FortiSandbox, as well as a missing authorization vulnerability in FortiClient for Windows that could expose VPN credentials. The repeated critical-severity advisories underscore the challenge of securing complex enterprise appliances that sit at network boundaries.
FortiSandbox is widely deployed in enterprise environments for analyzing suspicious files and URLs in a sandboxed environment before they reach internal systems. A full compromise of the appliance could allow attackers to intercept or manipulate threat intelligence, pivot to other network segments, or use the sandbox as a launch point for further attacks.
No evidence of in-the-wild exploitation has been reported at this time, but the high CVSS score and the lack of authentication requirements make the vulnerability an attractive target for threat actors. Security teams managing FortiSandbox deployments should prioritize patching, especially for internet-facing instances.
The advisory is available on the Fortinet PSIRT page.