Details of VAR-202503-1498

ID

VAR-202503-1498

CVE

CVE-2024-52961

TITLE

fortinet's FortiSandbox In OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2024-026441

DESCRIPTION

An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0, FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2.1 through 4.2.7, FortiSandbox 4.0.0 through 4.0.5, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions allows an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests. fortinet's FortiSandbox for, OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Fortinet FortiSandbox is an APT (Advanced Persistent Threat) protection device from Fortinet Systems, Inc. It offers dual sandbox technology, a dynamic threat intelligence system, a real-time control panel, and reporting capabilities. The Fortinet FortiSandbox contains an operating system command injection vulnerability

Trust: 2.16

sources: NVD: CVE-2024-52961 // JVNDB: JVNDB-2024-026441 // CNVD: CNVD-2025-27464

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-27464

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortisandbox	scope:	eq	version:	5.0.0	Trust: 1.6
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.4.7	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.0.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.2.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.2.8	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.4.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	4.0.6	Trust: 1.0
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.4.0 that's all 4.4.7	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	5.0.0	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	3.0.0 that's all 4.0.6	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.2.0 that's all 4.2.8	Trust: 0.8
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	3.0.0,<4.0.6	Trust: 0.6
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.2.0,<4.2.8	Trust: 0.6
vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.4.0,<4.4.7	Trust: 0.6

sources: CNVD: CNVD-2025-27464 // JVNDB: JVNDB-2024-026441 // NVD: CVE-2024-52961

CVSS

SEVERITY

CVSSV2

CVSSV3

psirt@fortinet.com:	CVE-2024-52961
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2024-026441
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2025-27464
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2025-27464
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

psirt@fortinet.com:	CVE-2024-52961
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2024-026441
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-27464 // JVNDB: JVNDB-2024-026441 // NVD: CVE-2024-52961

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-026441 // NVD: CVE-2024-52961

PATCH

title:	FG-IR-24-306	url:	https://fortiguard.com/psirt/FG-IR-24-306	Trust: 0.8
title:	Patch for Fortinet FortiSandbox Operating System Command Injection Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/751376	Trust: 0.6

sources: CNVD: CNVD-2025-27464 // JVNDB: JVNDB-2024-026441

EXTERNAL IDS

db:	NVD	id:	CVE-2024-52961	Trust: 3.2
db:	JVNDB	id:	JVNDB-2024-026441	Trust: 0.8
db:	CNVD	id:	CNVD-2025-27464	Trust: 0.6

sources: CNVD: CNVD-2025-27464 // JVNDB: JVNDB-2024-026441 // NVD: CVE-2024-52961

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2024-52961	Trust: 1.4
url:	https://fortiguard.fortinet.com/psirt/fg-ir-24-306	Trust: 1.0

sources: CNVD: CNVD-2025-27464 // JVNDB: JVNDB-2024-026441 // NVD: CVE-2024-52961

SOURCES

db:	CNVD	id:	CNVD-2025-27464
db:	JVNDB	id:	JVNDB-2024-026441
db:	NVD	id:	CVE-2024-52961

LAST UPDATE DATE

2026-01-14T23:52:38.625000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-27464	date:	2025-11-10T00:00:00
db:	JVNDB	id:	JVNDB-2024-026441	date:	2025-07-25T06:45:00
db:	NVD	id:	CVE-2024-52961	date:	2026-01-14T15:15:55.350

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-27464	date:	2025-11-07T00:00:00
db:	JVNDB	id:	JVNDB-2024-026441	date:	2025-07-25T00:00:00
db:	NVD	id:	CVE-2024-52961	date:	2025-03-11T15:15:42.960