Multiple Critical Vulnerabilities Disclosed in Fortinet FortiSandbox and FortiWeb Products
Fortinet has addressed several critical vulnerabilities affecting its FortiSandbox and FortiWeb products, with public advisories and technical details released on December 16, 2025. The most severe issues impact FortiSandbox, where multiple command injection vulnerabilities (CVE-2025-53949) allow authenticated attackers to execute arbitrary code as root via the admindel_confirm, name, and upload_vdi_file parameters. Additionally, a cross-site scripting vulnerability (CVE-2025-54353) in the hcproxy component could enable remote code execution with minimal user interaction. Fortinet has released patches for these flaws, and users are strongly advised to update affected systems immediately.
For FortiWeb, a critical authentication bypass vulnerability (CVE-2025-64447) was disclosed, stemming from improper verification of cryptographic signatures in the ApacheCookie_parse method, allowing unauthenticated attackers to gain access. These disclosures follow recent reports of active exploitation of a separate FortiWeb vulnerability (CVE-2025-64446), which enables unauthenticated attackers to create rogue administrator accounts and fully compromise exposed devices. Organizations using FortiWeb and FortiSandbox should review the official advisories and apply the recommended mitigations to prevent exploitation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Technical details of FortiWeb exploit chain are publicly documented
By 2025-12-16, public reporting described how CVE-2025-64446 chained path traversal and authentication bypass issues to reach sensitive CGI scripts and impersonate administrators. Defenders were advised to look for suspicious POST requests, unexpected admin accounts, and anomalous logs.
CISA orders federal agencies to remediate exploited FortiWeb flaw
Following confirmation of active exploitation of CVE-2025-64446, CISA mandated remediation for U.S. federal agencies. The order reflected the risk posed by global scanning and exploitation campaigns targeting vulnerable FortiWeb devices.
Fortinet releases fixes and public advisories for FortiWeb and FortiSandbox flaws
On 2025-12-16, Fortinet released updates and coordinated public advisories covering FortiWeb vulnerabilities CVE-2025-64446 and CVE-2025-64447, as well as FortiSandbox vulnerabilities including CVE-2025-53949 and CVE-2025-54353. The advisories urged customers to apply patches immediately due to the severity of the issues.
FortiWeb auth bypass CVE-2025-64447 reported to Fortinet
Jason McFadyen of Trend Research reported the FortiWeb authentication bypass vulnerability CVE-2025-64447 to Fortinet on 2025-10-10. The issue involved improper verification of a cryptographic signature and could let remote attackers bypass authentication without user interaction.
Attackers begin exploiting FortiWeb CVE-2025-64446 in the wild
Active exploitation of FortiWeb path traversal vulnerability CVE-2025-64446 began in October 2025, according to reporting cited by watchTowr Labs and confirmed by Fortinet. The flaw allowed unauthenticated attackers to create rogue administrator accounts and take full control of affected devices.
FortiSandbox RCE flaws reported to Fortinet
Jason McFadyen of Trend Research reported FortiSandbox command injection vulnerabilities later assigned CVE-2025-53949 to Fortinet in May 2025. The flaws affected multiple endpoints and could allow authenticated attackers to execute code as root.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Fortinet FortiWeb Vulnerability (CVE-2025-64446) Exploited in the Wild for Full Admin Takeover
cybersecuritynews.com
Open sourceFortinet FortiSandbox hcproxy Cross-Site Scripting Remote Code Execution Vulnerability
zerodayinitiative.com
Open sourceFortinet FortiWeb ApacheCookie_parse Improper Verification of Cryptographic Signature Authentication Bypass Vulnerability
zerodayinitiative.com
Open sourceFortinet FortiSandbox names admindel_confirm Command Injection Remote Code Execution Vulnerability
zerodayinitiative.com
Open sourceFortinet FortiSandbox name Parameter Command Injection Remote Code Execution Vulnerability
zerodayinitiative.com
Open sourceFortinet FortiSandbox upload_vdi_file Command Injection Remote Code Execution Vulnerability
zerodayinitiative.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Critical Vulnerabilities in Fortinet Security Products
Fortinet has disclosed several high-severity vulnerabilities affecting its security product lines, including FortiWeb, FortiVoice, and FortiSandbox. Notable issues include a cookie forgery vulnerability in FortiWeb (CVE-2025-64447) that allows unauthenticated attackers to execute arbitrary operations via forged cookies, provided they know the device's serial number, and an improper verification of cryptographic signatures in FortiWeb (CVE-2025-59719) that enables unauthenticated attackers to bypass FortiCloud SSO login authentication using crafted SAML responses. Additionally, FortiVoice is impacted by a path traversal vulnerability (CVE-2025-60024) permitting privileged authenticated attackers to write arbitrary files, and FortiSandbox suffers from an OS command injection flaw (CVE-2025-53949) that allows authenticated attackers to execute unauthorized code on the underlying system through crafted HTTP requests. All vulnerabilities are remotely exploitable and have been assigned high or critical CVSS scores, with the FortiWeb authentication bypass rated as critical (CVSS 9.8/10). Fortinet has released security advisories and patches for the affected versions, urging customers to update their systems promptly to mitigate the risk of exploitation. Security researchers and vendors have highlighted the urgency of these patches due to the potential for unauthenticated remote attacks and the critical role these products play in enterprise security architectures.
Mar 21, 2026
Fortinet Patches Critical FortiSandbox and FortiManager Command-Execution Flaws
Fortinet issued multiple 2026 security advisories covering a broad set of vulnerabilities across **FortiSandbox, FortiManager, FortiAnalyzer, FortiOS, FortiAP, FortiProxy, FortiPAM, FortiSwitchManager, FortiSwitchAXFixed,** and related cloud offerings. The most severe flaws affect **FortiSandbox**, including `CVE-2026-39808`, an unauthenticated OS command injection bug that could allow arbitrary command execution and full device compromise, `CVE-2026-39813`, a path traversal issue in the JRPC API that may enable authentication bypass and privilege escalation, and `CVE-2026-26083`, a missing authorization flaw that can expose restricted functionality and sensitive sandbox analysis data through the GUI without authentication. National cyber authorities in Canada and Belgium separately warned organizations to apply Fortinet’s fixes immediately. Fortinet also disclosed high-risk issues in management platforms, notably `CVE-2025-54820`, a stack-based buffer overflow in the **FortiManager** `fgtupdates` service that can let remote unauthenticated attackers execute unauthorized commands when the service is enabled, as well as a heap-based buffer overflow affecting **FortiAnalyzer Cloud** and **FortiManager Cloud**. Additional weaknesses across the product line include authentication and MFA bypasses, SQL injection, API denial of service, CLI command injection in FortiAP, CAPWAP daemon memory corruption in FortiOS, stored and reflected XSS, improper access control, and credential exposure. Fortinet advised customers to upgrade to fixed releases, disable exposed services such as `fgtupdates` where possible, restrict CLI, SSH, and API access, and monitor logs for anomalous authentication, privilege escalation, and endpoint activity.
Jun 18, 2026
Critical FortiSandbox API Flaws Enable Unauthenticated Command Execution
Fortinet disclosed two critical vulnerabilities in **FortiSandbox** that allow remote, unauthenticated attackers to compromise exposed appliances through crafted HTTP requests. **`CVE-2026-39808`** is an OS command injection flaw in the FortiSandbox API that can lead to unauthorized command or code execution, while **`CVE-2026-39813`** is a path traversal issue in the JRPC API that can bypass authentication and enable privilege escalation. Both issues carry a **CVSS v3 score of 9.1**. The flaws affect **FortiSandbox 4.4.0 through 4.4.8**, and **`CVE-2026-39813`** also impacts **5.0.0 through 5.0.5**. Fortinet released fixes in **4.4.9** for both vulnerabilities and **5.0.6** for the JRPC issue, and said it had not observed exploitation in the wild at the time of disclosure. Organizations were urged to patch immediately, review internet-exposed deployments, and restrict API access to trusted networks until upgrades are completed.
Apr 16, 2026