FortiSandbox XSS Flaw Allows Arbitrary Command Vulnerability Attackers

Fortinet has disclosed a high-severity cross-site scripting (XSS) vulnerability impacting its FortiSandbox platform. Tracked as CVE-2025-52436 (FG-IR-25-093), the flaw allows unauthenticated attackers to execute arbitrary commands on affected systems.

Dubbed an “Improper Neutralization of Input During Web Page Generation” issue (CWE-79), the flaw resides in the graphical user interface (GUI) component and scores a 7.9.

At its core, this reflected XSS vulnerability arises from inadequate input sanitization in web page generation. An attacker crafts malicious requests, typically via the browser’s back button or manipulated parameters, that inject executable JavaScript into the GUI.

Once a victim (like an admin) interacts with the tainted page, the script triggers, escalating to remote code execution (RCE). This grants full command-line access, potentially leading to data exfiltration, lateral movement, or sandbox evasion in malware analysis environments.

Affected Versions and Patches

FortiSandbox PaaS deployments bear the brunt:

Patches landed in PaaS versions 4.4.8 and 5.0.5. Fortinet urges immediate upgrades, emphasizing exposure mitigation via network segmentation and GUI access restrictions until patched.

Credit goes to Jaguar Perlas of Fortinet’s Burnaby Infosec team for internal discovery. This incident underscores persistent XSS risks in enterprise tools, even sandboxes meant to isolate threats.

Organizations scanning malware or handling sensitive intel should prioritize patching unpatched systems invite command-and-control pivots. Fortinet reports no known exploitation, but the unauthenticated vector demands vigilance.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.