Fortinet Discloses OS Command Injection Vulnerability in FortiSandbox Cloud and PaaS
Fortinet has disclosed a high-severity OS command injection vulnerability in the web UI of FortiSandbox Cloud and FortiSandbox PaaS, allowing privileged attackers to execute arbitrary commands.
Fortinet has disclosed a high-severity OS command injection vulnerability (FG-IR-26-096) affecting the web UI of FortiSandbox Cloud and FortiSandbox PaaS. The flaw, classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), allows a privileged attacker with a super-admin profile and CLI access to execute unauthorized code or commands via crafted HTTP requests. The vulnerability carries a CVSSv3 score of 6.7, placing it in the high-severity range.
The affected products include FortiSandbox Cloud version 5.0.4 and FortiSandbox PaaS version 5.0.4. FortiSandbox Cloud 4.4 and FortiSandbox PaaS 23.4 and 4.4 are not affected. Fortinet has released upgrades to version 5.0.5 or above for both affected products to remediate the issue. The advisory was initially published on March 10, 2026, and later updated on March 26, 2026, to include the PaaS product line.
The vulnerability was internally discovered and reported by Adham El Karn of the Fortinet Product Security team. As of the advisory revision date, no public exploit code or in-the-wild exploitation activity has been reported. However, given the privileged access required, the risk is somewhat mitigated, though organizations running affected versions should prioritize patching.
FortiSandbox is a critical security appliance used for advanced threat detection and analysis, often deployed in enterprise environments to sandbox suspicious files and URLs. A compromise of the sandbox itself could allow attackers to evade detection and gain deeper access to network defenses. The command injection flaw specifically targets the vmimages update feature within the web UI, which is used for managing virtual machine images used in sandboxing.
This disclosure follows a series of Fortinet advisories in recent months, including patches for critical RCE flaws in FortiAuthenticator and FortiSandbox, as well as command injection vulnerabilities in FortiAP devices. The pattern underscores the ongoing challenge of securing complex, multi-function security appliances that expose both web interfaces and CLI access.
Organizations using FortiSandbox Cloud or PaaS should immediately upgrade to version 5.0.5 or later. As a general best practice, Fortinet recommends limiting super-admin access to trusted personnel and monitoring for unusual HTTP requests targeting the web UI. While no active exploitation has been observed, the internal discovery suggests proactive security testing remains essential for maintaining the integrity of security infrastructure.