Fortinet Addresses FortiSandbox SSRF Vulnerability: Immediate Update Recommended
On January 13, 2026, Fortinet disclosed a Server-Side Request Forgery (SSRF) vulnerability in its FortiSandbox appliance, urging users to update their systems promptly to mitigate potential risks associated with internal network traffic being proxied through crafted HTTP requests.
Understanding the Vulnerability
The identified flaw, designated as CVE-2025-67685 (FG-IR-25-783), resides within the Graphical User Interface (GUI) component of FortiSandbox. This vulnerability is attributed to improper access control mechanisms, classified under CWE-918. It enables authenticated attackers to craft specific HTTP requests that can proxy traffic to internal plaintext endpoints.
Fortinet has assigned this issue a CVSSv3 score of 3.4, indicating a low severity level. The score reflects the requirement for attackers to possess high-privilege access, thereby limiting potential exploitation to insiders or scenarios involving compromised administrative accounts. As of the disclosure date, there is no evidence of active exploitation of this vulnerability.
Technical Details
The SSRF vulnerability arises from inadequate input validation within the GUI console of FortiSandbox. This deficiency allows attackers to forge requests directed at localhost or internal IP addresses over HTTP/HTTPS protocols. Notably, the vulnerability is restricted to non-TLS endpoints, which somewhat limits its potential impact. However, in environments that are air-gapped or have segmented networks, exploitation could lead to the exposure of sensitive internal services.
The vulnerability was discovered by Jason McFadyen of Trend Micro’s Zero Day Initiative and was reported to Fortinet under a responsible disclosure framework.
Affected Versions and Recommended Actions
The following versions of FortiSandbox are affected by this vulnerability:
– Version 5.0: Versions 5.0.0 through 5.0.4.
– Version 4.4: All versions.
– Version 4.2: All versions.
– Version 4.0: All versions.
To remediate this issue, Fortinet recommends the following actions:
– For Version 5.0 Users: Upgrade to version 5.0.5 or later.
– For Versions 4.4, 4.2, and 4.0 Users: Migrate to a fixed release as specified by Fortinet.
Administrators are advised to perform these upgrades promptly to ensure the security and integrity of their systems.
Implications and Recommendations
While the CVSS score indicates a low severity, the potential for internal network exposure necessitates immediate attention. Organizations should assess their FortiSandbox deployments and apply the recommended updates without delay.
In addition to applying patches, it is prudent for administrators to audit GUI logs for any anomalous internal fetches dating back to January 2026. This proactive measure can help identify any potential exploitation attempts and reinforce the security posture of the organization.
For detailed information and access to the necessary updates, users should refer to the FortiGuard portal.
