Cyber Resilience

CVE-2024-27778

HighRCE

Published: 14 January 2025

Published
14 January 2025
Modified
14 January 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0109 78.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-27778 is a high-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortisandbox. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-27778 is an improper neutralization of special elements used in an OS command vulnerability (CWE-78) affecting multiple versions of Fortinet FortiSandbox, including 4.4.0 through 4.4.4, 4.2.1 through 4.2.6, 4.0.0 through 4.0.4, all versions of 3.2 and 3.1, and 3.0.5 through 3.0.7. The vulnerability enables execution of unauthorized commands through crafted requests. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

An authenticated attacker with at least read-only permissions can exploit this vulnerability remotely by sending specially crafted requests to the FortiSandbox system. Successful exploitation allows the attacker to execute arbitrary operating system commands, potentially leading to full system compromise, data exfiltration, modification of sandbox configurations, or disruption of malware analysis workflows.

For mitigation details, refer to the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-061, which provides information on patches and recommended actions.

EU & UK References

Vulnerability details

An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6, FortiSandbox 4.0.0 through 4.0.4, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0.5 through 3.0.7…

more

allows an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection (CWE-78) in network-accessible FortiSandbox service directly enables remote exploitation of a public-facing app (T1190) leading to arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-52961Same product: Fortinet Fortisandbox
CVE-2026-39808Same product: Fortinet Fortisandbox
CVE-2025-53949Same product: Fortinet Fortisandbox
CVE-2024-54018Same product: Fortinet Fortisandbox
CVE-2025-52436Same product: Fortinet Fortisandbox
CVE-2026-39813Same product: Fortinet Fortisandbox
CVE-2024-27781Same product: Fortinet Fortisandbox
CVE-2024-52960Same product: Fortinet Fortisandbox
CVE-2024-50566Same vendor: Fortinet
CVE-2025-58034Same vendor: Fortinet

Affected Assets

fortinet
fortisandbox
3.0.5 — 4.0.5 · 4.2.0 — 4.2.7 · 4.4.0 — 4.4.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs, directly addressing the improper neutralization of special elements that enables OS command injection via crafted requests.

prevent

SI-2 mandates timely identification, reporting, and correction of flaws, enabling patching of this specific command injection vulnerability as recommended in the Fortinet advisory.

prevent

AC-3 enforces approved authorizations for access to system resources, mitigating unauthorized OS command execution even for read-only authenticated users.

References