CVE-2024-54018
Published: 11 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2024-54018 consists of multiple improper neutralization of special elements used in an OS command vulnerabilities (CWE-78) in FortiSandbox versions before 4.4.5. These flaws allow a privileged attacker to execute unauthorized commands via crafted requests, stemming from inadequate sanitization of inputs that are passed to underlying operating system commands.
The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low attack complexity, but requires high privileges. A suitably privileged attacker, such as an administrator with access to the system, can craft malicious requests to inject and execute arbitrary OS commands, potentially achieving high impacts on confidentiality, integrity, and availability, including full system compromise.
Fortinet's PSIRT advisory (FG-IR-24-110) details the vulnerabilities and recommends upgrading to FortiSandbox 4.4.5 or later to mitigate the issues, as all prior versions are affected.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes OS command injection (CWE-78) allowing a privileged attacker to execute arbitrary commands via crafted requests due to unsanitized inputs passed to the OS, directly enabling Unix Shell execution on the Linux-based FortiSandbox appliance.