CVE-2025-53949

HighRCE

Published: 09 December 2025

Published

09 December 2025

Modified

09 December 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0019 40.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-53949 is a high-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortisandbox. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unix Shell (T1059.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of crafted HTTP request inputs to prevent OS command injection (CWE-78).

SI-2 Flaw Remediation good match

prevent

Mandates timely patching and remediation of the specific flaw in vulnerable FortiSandbox versions as per vendor advisory.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to restrict high-privilege (PR:H) access needed for authenticated exploitation of the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

OS Command Injection (CWE-78) allows arbitrary OS command execution via crafted HTTP requests, directly mapping to Unix Shell (T1059.004) on Linux-based FortiSandbox.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an authenticated attacker…

to execute unauthorized code on the underlying system via crafted HTTP requests.

Deeper analysisAI

CVE-2025-53949 is an Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) vulnerability, classified under CWE-78, affecting Fortinet FortiSandbox versions 5.0.0 through 5.0.2, 4.4.0 through 4.4.7, 4.2 all versions, and 4.0 all versions. Published on 2025-12-09, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with network accessibility and low attack complexity.

An authenticated attacker with high privileges (PR:H) can exploit the vulnerability by sending crafted HTTP requests to the affected FortiSandbox instances. Successful exploitation may allow execution of unauthorized code on the underlying operating system.

Mitigation details are provided in the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-25-479.

Details

CWE(s): CWE-78

Affected Products

fortinet

fortisandbox

4.0.0 — 4.0.6 · 4.2.0 — 4.2.8 · 4.4.0 — 4.4.7

CVEs Like This One

CVE-2024-54018Same product: Fortinet Fortisandbox

CVE-2024-52961Same product: Fortinet Fortisandbox

CVE-2026-39808Same product: Fortinet Fortisandbox

CVE-2024-27778Same product: Fortinet Fortisandbox

CVE-2024-52960Same product: Fortinet Fortisandbox

CVE-2025-52436Same product: Fortinet Fortisandbox

CVE-2024-55590Same vendor: Fortinet

CVE-2024-54027Same product: Fortinet Fortisandbox

CVE-2024-27781Same product: Fortinet Fortisandbox

CVE-2026-39813Same product: Fortinet Fortisandbox

References

https://fortiguard.fortinet.com/psirt/FG-IR-25-479
Vendor Advisory · psirt@fortinet.com