Cyber Resilience

CVE-2024-52961

HighRCE

Published: 11 March 2025

Published
11 March 2025
Modified
14 January 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 61.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-52961 is a high-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortisandbox. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-52961 is an improper neutralization of special elements used in an OS Command vulnerability (CWE-78) affecting multiple versions of Fortinet FortiSandbox, including version 5.0.0, 4.4.0 through 4.4.6, 4.2.1 through 4.2.7, 4.0.0 through 4.0.5, and all versions of 3.2, 3.1, and 3.0. This flaw allows an authenticated attacker with at least read-only permissions to execute unauthorized commands through crafted requests. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.

An attacker requires valid credentials with read-only access to the FortiSandbox management interface, which can be exploited remotely over the network with low complexity and no user interaction. Successful exploitation enables arbitrary command execution on the underlying operating system, potentially granting full control over the sandbox appliance, including data exfiltration, persistence, or lateral movement within the environment.

Fortinet has published advisory FG-IR-24-306 at https://fortiguard.fortinet.com/psirt/FG-IR-24-306, which provides details on affected versions and recommended mitigations, including available patches. Security practitioners should consult this advisory for upgrade paths and workarounds.

EU & UK References

Vulnerability details

An improper neutralization of special elements used in an OS Command vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0, FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2.1 through 4.2.7, FortiSandbox 4.0.0 through 4.0.5, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0…

more

all versions allows an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection (CWE-78) in public-facing FortiSandbox management interface directly enables arbitrary Unix shell command execution (T1059.004) and exploitation of public-facing applications (T1190) for initial access or post-auth execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39808Same product: Fortinet Fortisandbox
CVE-2024-27778Same product: Fortinet Fortisandbox
CVE-2025-53949Same product: Fortinet Fortisandbox
CVE-2024-54018Same product: Fortinet Fortisandbox
CVE-2025-52436Same product: Fortinet Fortisandbox
CVE-2026-39813Same product: Fortinet Fortisandbox
CVE-2024-27781Same product: Fortinet Fortisandbox
CVE-2024-52960Same product: Fortinet Fortisandbox
CVE-2024-50566Same vendor: Fortinet
CVE-2025-58034Same vendor: Fortinet

Affected Assets

fortinet
fortisandbox
5.0.0 · 3.0.0 — 4.0.6 · 4.2.0 — 4.2.8 · 4.4.0 — 4.4.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of crafted requests to neutralize special elements and prevent OS command injection (CWE-78).

prevent

Mandates timely remediation of the specific flaw through patching, as provided by Fortinet for affected FortiSandbox versions.

prevent

Enforces access control policies to restrict read-only authenticated users from executing unauthorized OS commands.

References