SharkStriker’s Threat intelligence researchers have reported active exploitation attempts targeting multiple critical vulnerabilities affecting Fortinet FortiSandbox, Fortinet’s advanced malware analysis and sandboxing platform.

FortiSandbox is a security appliance designed to analyze suspicious files, detect zero-day threats, identify ransomware, and provide advanced malware analysis capabilities across enterprise environments. The platform is commonly integrated with other Fortinet products, including FortiGate, FortiMail, FortiAnalyzer, and FortiEDR, making it a critical component of many organizations’ security architectures.

Through this blog, we will understand what the vulnerabilities are about, the threat posed by them, and some of the security actions that organizations can take to prevent/mitigate the threats posed by the vulnerability.

About the vulnerabilities

These vulnerabilities may allow unauthenticated attackers to perform command injection attacks, leading to unauthorized code execution and privilege escalation on affected systems. The attacks require no user interaction and are considered of low complexity from an exploitation perspective.

Given FortiSandbox’s role in malware analysis and security operations, successful compromise of the platform could potentially undermine an organization’s ability to detect, analyze, and respond to cyber threats.

What can attackers do with vulnerability?

An attacker can target a vulnerable FortiSandbox appliance and exploit command injection vulnerabilities to execute unauthorized commands remotely. Since the vulnerabilities do not require authentication and require no user interaction, attackers may be able to cause system compromise of exposed systems with minimal effort.

Successful exploitation may provide attackers with elevated privileges and the ability to execute arbitrary code on the appliance.

By exploiting the vulnerabilities, the attackers can:

• Execute malicious codes remotely on FortiSandbox appliances
• Gain unauthorized administrative access
• Escalate privileges
• Manipulate malware analysis results
• Gain access to submitted malware samples and analysis data
• Tamper with security workflows and integrations
• Establish persistence mechanisms through affected systems
• Laterally move across connected enterprise environments
• Facilitate deployment of ransomware
• Orchestrate cyber espionage and data theft campaigns

SharkStriker’s recommendations

To reduce the risk associated with these actively exploited FortiSandbox vulnerabilities, SharkStriker recommends implementing the following defensive measures:

Apply security updates immediately

Upgrade all FortiSandbox deployments to vendor-supported versions containing fixes for the identified vulnerabilities.

Perform a compromise assessment

Because active exploitation has been reported, organizations should review the following things to identify any signs of unauthorized access:

• Administrative login activity
• Audit logs
• Command execution logs
• System configuration changes
• Network connection records
• Security event telemetry

Restrict administrative access

Implement additional security controls including:

• Multi-Factor Authentication (MFA)
• VPN-restricted administrative access
• IP allowlisting
• Segmentation of management interfaces

Monitor for suspicious activity

Investigate and look for the following signs of suspicious activity:

• Unexpected command execution
• Unauthorized user creation
• Configuration modifications
• New administrative accounts
• Abnormal outbound communications
• Unexpected service restarts or system behavior

Validate connected security infrastructure

Review the following systems integrated with FortiSandbox for signs of suspicious activity or compromise:

• FortiGate
• FortiAnalyzer
• FortiManager
• FortiMail
• SIEM platforms.

Strengthen detection coverage

Ensure SIEM, EDR, and NDR platforms are configured to detect:

• Command injection attempts
• Privilege escalation activity
• Unauthorized administrative access
• Suspicious process execution
• Lateral movement behavior
• Persistence mechanisms

Maintain continuous monitoring

• Organizations should maintain heightened monitoring of Fortinet infrastructure until all affected systems have been patched and compromise assessments completed.

SharkStriker’s SOC team has:

• Reviewed publicly available threat intelligence regarding active exploitation of FortiSandbox vulnerabilities.
• Assessed the potential impact to enterprise security infrastructure.
• Validated the availability of vendor-issued security updates.
• Issued an advisory to support timely remediation and risk reduction efforts.
• Recommended compromise assessment and enhanced monitoring activities to the affected organizations.