Fortinet Discloses Path Traversal Vulnerability in FortiSandbox Allowing Arbitrary Directory Deletion

Fortinet has disclosed a path traversal vulnerability (CWE-22) in its FortiSandbox product line, including FortiSandbox Cloud and FortiSandbox PaaS, tracked as FG-IR-26-115. The flaw allows a privileged attacker with a super-admin profile and CLI access to delete arbitrary directories on affected systems by sending specially crafted HTTP requests. The vulnerability carries a CVSSv3 score of 6.2, indicating a medium severity.

The vulnerability affects multiple versions of FortiSandbox. Specifically, FortiSandbox 5.0 versions 5.0.0 through 5.0.5 are vulnerable, with the fix available in version 5.0.6. FortiSandbox 4.4 versions 4.4.0 through 4.4.8 are also affected, patched in version 4.4.9. Older FortiSandbox 4.2 all versions are impacted, and users are advised to migrate to a fixed release. FortiSandbox 5.2 is not affected.

For cloud-based deployments, FortiSandbox Cloud 5.0.4 is vulnerable, but Fortinet has remediated the issue in version 5.0.5, requiring no customer action. FortiSandbox Cloud 24, 23, 4.4, and 4.2 are not affected. FortiSandbox PaaS 5.0.4 is vulnerable, with the fix in version 5.0.5; other PaaS versions are unaffected.

The vulnerability was internally discovered and reported by Adham El karn of the Fortinet Product Security team. No evidence of in-the-wild exploitation has been reported at the time of disclosure. Fortinet has released patches and recommends that users upgrade to the fixed versions as soon as possible.

This disclosure is part of a broader trend of path traversal vulnerabilities in enterprise security products. While the CVSS score is moderate, the ability to delete arbitrary directories could disrupt operations or lead to data loss, particularly in sandbox environments critical for malware analysis. Organizations using FortiSandbox should prioritize patching, especially those with privileged access controls in place.