Cyber Resilience

CVE-2024-52960

Medium

Published: 11 March 2025

Published
11 March 2025
Modified
24 July 2025
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0029 52.8th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-52960 is a medium-severity Client-Side Enforcement of Server-Side Security (CWE-602) vulnerability in Fortinet Fortisandbox. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-52960 is a client-side enforcement of server-side security vulnerability, classified as CWE-602, affecting Fortinet FortiSandbox in version 5.0.0, versions 4.4.0 through 4.4.6, and all versions before 4.2.7. The issue, published on 2025-03-11, carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, and low privileges required.

An authenticated attacker with at least read-only permissions can exploit the vulnerability by sending crafted requests, allowing execution of unauthorized commands. This results in an integrity impact without affecting confidentiality or availability, and requires no user interaction.

Mitigation details are available in the Fortinet product security incident response advisory at https://fortiguard.fortinet.com/psirt/FG-IR-24-305.

EU & UK References

Vulnerability details

A client-side enforcement of server-side security vulnerability [CWE-602] in Fortinet FortiSandbox version 5.0.0, 4.4.0 through 4.4.6 and before 4.2.7 allows an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Vulnerability in network-accessible FortiSandbox application allows authenticated low-privilege attacker to execute unauthorized commands via crafted requests, directly enabling T1190 (Exploit Public-Facing Application) for initial access and T1059 (Command and Scripting Interpreter) for command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-52436Same product: Fortinet Fortisandbox
CVE-2024-52961Same product: Fortinet Fortisandbox
CVE-2026-39813Same product: Fortinet Fortisandbox
CVE-2026-39808Same product: Fortinet Fortisandbox
CVE-2024-27781Same product: Fortinet Fortisandbox
CVE-2024-27778Same product: Fortinet Fortisandbox
CVE-2025-53949Same product: Fortinet Fortisandbox
CVE-2024-54027Same product: Fortinet Fortisandbox
CVE-2024-54018Same product: Fortinet Fortisandbox
CVE-2024-45328Same product: Fortinet Fortisandbox

Affected Assets

fortinet
fortisandbox
5.0.0 · 3.0.0 — 4.2.8 · 4.4.0 — 4.4.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates server-side enforcement of access control policies, directly mitigating the client-side enforcement failure that allows read-only users to execute unauthorized commands via crafted requests.

prevent

SI-10 requires validation and sanitization of all inputs, preventing exploitation through crafted requests that bypass client-side security checks.

prevent

AC-6 enforces least privilege, limiting the impact by ensuring read-only permissions do not allow command execution even if enforcement is bypassed.

References