CVE-2024-54026
Published: 11 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-54026 is an SQL injection vulnerability (CWE-89) due to improper neutralization of special elements in SQL commands. It affects Fortinet FortiSandbox versions 4.4.0 through 4.4.6, all versions of FortiSandbox 4.2, 4.0, 3.2, 3.1, 3.0, and FortiSandbox Cloud 24.1. The flaw allows attackers to execute unauthorized code or commands through specifically crafted HTTP requests. The vulnerability has a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), indicating low severity with limited confidentiality impact.
An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction required. By sending crafted HTTP requests, the attacker can inject malicious SQL, potentially leading to unauthorized code or command execution, though the scoped impact is confined to low confidentiality per the CVSS vector.
Fortinet has published advisory FG-IR-24-353 at https://fortiguard.fortinet.com/psirt/FG-IR-24-353, which provides details on the vulnerability and recommended mitigations or patches.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection via crafted HTTP requests in a network-accessible web application (FortiSandbox) directly enables exploitation of public-facing applications for initial access.