Details of VAR-202601-1135

ID

VAR-202601-1135

CVE

CVE-2025-67685

TITLE

fortinet's FortiSandbox Server-side request forgery vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2026-001330

DESCRIPTION

A Server-Side Request Forgery (SSRF) vulnerability [CWE-918] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.4, FortiSandbox 4.4 all versions, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker to proxy internal requests limited to plaintext endpoints only via crafted HTTP requests. Also, some of the information handled by the software may be rewritten. Furthermore, the software will not stop. Furthermore, attacks that exploit this vulnerability will not affect other software. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Fortinet FortiSandbox. Authentication is required to exploit this vulnerability.The specific flaw exists within the handling of web sockets. The issue results from the lack of proper validation of a URI prior to accessing resources. An attacker can leverage this vulnerability to execute code in the context of the current process

Trust: 2.25

sources: NVD: CVE-2025-67685 // JVNDB: JVNDB-2026-001330 // ZDI: ZDI-26-048

AFFECTED PRODUCTS

vendor:	fortinet	model:	fortisandbox	scope:	gte	version:	4.0.0	Trust: 1.0
vendor:	fortinet	model:	fortisandbox	scope:	lt	version:	5.0.5	Trust: 1.0
vendor:	フォーティネット	model:	fortisandbox	scope:	-	version:	-	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	4.0.0 that's all 5.0.5	Trust: 0.8
vendor:	フォーティネット	model:	fortisandbox	scope:	eq	version:	-	Trust: 0.8
vendor:	fortinet	model:	fortisandbox	scope:	-	version:	-	Trust: 0.7

sources: ZDI: ZDI-26-048 // JVNDB: JVNDB-2026-001330 // NVD: CVE-2025-67685

CVSS

SEVERITY

CVSSV2

CVSSV3

psirt@fortinet.com:	CVE-2025-67685
value:	LOW
Trust: 1.0
OTHER:	JVNDB-2026-001330
value:	LOW
Trust: 0.8
ZDI:	CVE-2025-67685
value:	HIGH
Trust: 0.7

psirt@fortinet.com:	CVE-2025-67685
baseSeverity:	LOW
baseScore:	3.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	2.5
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2026-001330
baseSeverity:	LOW
baseScore:	3.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8
ZDI:	CVE-2025-67685
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-26-048 // JVNDB: JVNDB-2026-001330 // NVD: CVE-2025-67685

PROBLEMTYPE DATA

problemtype:	CWE-918	Trust: 1.0
problemtype:	Server-side request forgery (CWE-918) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-001330 // NVD: CVE-2025-67685

PATCH

title:

PSIRT | FortiGuard Labs

url:

https://fortiguard.fortinet.com/psirt/FG-IR-25-783

Trust: 1.5

sources: ZDI: ZDI-26-048 // JVNDB: JVNDB-2026-001330

EXTERNAL IDS

db:	NVD	id:	CVE-2025-67685	Trust: 3.3
db:	JVNDB	id:	JVNDB-2026-001330	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-27307	Trust: 0.7
db:	ZDI	id:	ZDI-26-048	Trust: 0.7

sources: ZDI: ZDI-26-048 // JVNDB: JVNDB-2026-001330 // NVD: CVE-2025-67685

REFERENCES

url:	https://fortiguard.fortinet.com/psirt/fg-ir-25-783	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2025-67685	Trust: 0.8

sources: ZDI: ZDI-26-048 // JVNDB: JVNDB-2026-001330 // NVD: CVE-2025-67685

CREDITS

Jason McFadyen of Trend Research

Trust: 0.7

sources: ZDI: ZDI-26-048

SOURCES

db:	ZDI	id:	ZDI-26-048
db:	JVNDB	id:	JVNDB-2026-001330
db:	NVD	id:	CVE-2025-67685

LAST UPDATE DATE

2026-01-30T23:50:52.364000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-26-048	date:	2026-01-28T00:00:00
db:	JVNDB	id:	JVNDB-2026-001330	date:	2026-01-16T05:21:00
db:	NVD	id:	CVE-2025-67685	date:	2026-01-14T21:38:01.700

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-26-048	date:	2026-01-28T00:00:00
db:	JVNDB	id:	JVNDB-2026-001330	date:	2026-01-16T00:00:00
db:	NVD	id:	CVE-2025-67685	date:	2026-01-13T17:15:58.873