CVE-2024-54026 - Vulnerability Details

An improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox Cloud 24.1 allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00053.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Fortinet Subscribe	Fortisandbox Subscribe Fortisandbox Cloud Subscribe Fortisandboxcloud Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:fortinet:fortisandbox::::::::
	cpe:2.3:a:fortinet:fortisandbox_cloud:24.1:::::::*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Fortinet Subscribe	Fortisandbox Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2024-54250	An improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiSandbox Cloud version 23.4, FortiSandbox at least 4.4.0 through 4.4.6 and 4.2.0 through 4.2.7 and 4.0.0 through 4.0.5 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.7 allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests.

Fixes

Solution

Upgrade to FortiSandbox version 5.0.1 or above Upgrade to FortiSandbox version 4.4.7 or above Fortinet remediated this issue in FortiSandbox Cloud version 24.2 (not released) and hence customers do not need to perform any action.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://fortiguard.fortinet.com/psirt/FG-IR-24-353

History

Wed, 14 Jan 2026 23:30:00 +0900

Type	Values Removed	Values Added
Description	An improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiSandbox Cloud version 23.4, FortiSandbox at least 4.4.0 through 4.4.6 and 4.2.0 through 4.2.7 and 4.0.0 through 4.0.5 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.7 allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests.	An improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiSandbox 4.4.0 through 4.4.6, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox Cloud 24.1 allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
First Time appeared		Fortinet fortisandboxcloud
CPEs		cpe:2.3:a:fortinet:fortisandbox:3.0.0:::::::* cpe:2.3:a:fortinet:fortisandbox:3.0.1:::::::* cpe:2.3:a:fortinet:fortisandbox:3.0.2:::::::* cpe:2.3:a:fortinet:fortisandbox:3.0.3:::::::* cpe:2.3:a:fortinet:fortisandbox:3.0.4:::::::* cpe:2.3:a:fortinet:fortisandbox:3.0.5:::::::* cpe:2.3:a:fortinet:fortisandbox:3.0.6:::::::* cpe:2.3:a:fortinet:fortisandbox:3.0.7:::::::* cpe:2.3:a:fortinet:fortisandbox:3.1.0:::::::* cpe:2.3:a:fortinet:fortisandbox:3.1.1:::::::* cpe:2.3:a:fortinet:fortisandbox:3.1.2:::::::* cpe:2.3:a:fortinet:fortisandbox:3.1.3:::::::* cpe:2.3:a:fortinet:fortisandbox:3.1.4:::::::* cpe:2.3:a:fortinet:fortisandbox:3.1.5:::::::* cpe:2.3:a:fortinet:fortisandbox:3.2.0:::::::* cpe:2.3:a:fortinet:fortisandbox:3.2.1:::::::* cpe:2.3:a:fortinet:fortisandbox:3.2.2:::::::* cpe:2.3:a:fortinet:fortisandbox:3.2.3:::::::* cpe:2.3:a:fortinet:fortisandbox:3.2.4:::::::* cpe:2.3:a:fortinet:fortisandbox:4.0.0:::::::* cpe:2.3:a:fortinet:fortisandbox:4.0.1:::::::* cpe:2.3:a:fortinet:fortisandbox:4.0.2:::::::* cpe:2.3:a:fortinet:fortisandbox:4.0.3:::::::* cpe:2.3:a:fortinet:fortisandbox:4.0.4:::::::* cpe:2.3:a:fortinet:fortisandbox:4.0.5:::::::* cpe:2.3:a:fortinet:fortisandbox:4.0.6:::::::* cpe:2.3:a:fortinet:fortisandbox:4.2.1:::::::* cpe:2.3:a:fortinet:fortisandbox:4.2.2:::::::* cpe:2.3:a:fortinet:fortisandbox:4.2.3:::::::* cpe:2.3:a:fortinet:fortisandbox:4.2.4:::::::* cpe:2.3:a:fortinet:fortisandbox:4.2.5:::::::* cpe:2.3:a:fortinet:fortisandbox:4.2.6:::::::* cpe:2.3:a:fortinet:fortisandbox:4.2.7:::::::* cpe:2.3:a:fortinet:fortisandbox:4.2.8:::::::* cpe:2.3:a:fortinet:fortisandbox:4.4.0:::::::* cpe:2.3:a:fortinet:fortisandbox:4.4.1:::::::* cpe:2.3:a:fortinet:fortisandbox:4.4.2:::::::* cpe:2.3:a:fortinet:fortisandbox:4.4.3:::::::* cpe:2.3:a:fortinet:fortisandbox:4.4.4:::::::* cpe:2.3:a:fortinet:fortisandbox:4.4.5:::::::* cpe:2.3:a:fortinet:fortisandbox:4.4.6:::::::* cpe:2.3:a:fortinet:fortisandboxcloud:24.1:::::::*
Vendors & Products		Fortinet fortisandboxcloud

Fri, 25 Jul 2025 04:00:00 +0900

Type	Values Removed	Values Added
First Time appeared		Fortinet fortisandbox Cloud
CPEs		cpe:2.3:a:fortinet:fortisandbox:::::::: cpe:2.3:a:fortinet:fortisandbox_cloud:24.1:::::::*
Vendors & Products		Fortinet fortisandbox Cloud

Fri, 11 Jul 2025 22:45:00 +0900

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00045}`	epss `{'score': 0.00044}`

Wed, 12 Mar 2025 01:15:00 +0900

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 12 Mar 2025 00:00:00 +0900

Type	Values Removed	Values Added
Description		An improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiSandbox Cloud version 23.4, FortiSandbox at least 4.4.0 through 4.4.6 and 4.2.0 through 4.2.7 and 4.0.0 through 4.0.5 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.7 allows attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
Weaknesses		CWE-89
References		https://fortiguard.fortinet.com/psirt/FG-IR-24-353
Metrics		cvssV3_1 `{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:C'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: fortinet

Published: 2025-03-11T14:54:38.660Z

Updated: 2026-01-14T14:16:03.420Z

Reserved: 2024-11-27T15:20:39.891Z

Link: CVE-2024-54026

Vulnrichment

Updated: 2025-03-11T16:02:31.442Z

NVD

Status : Modified

Published: 2025-03-11T15:15:43.307

Modified: 2026-01-14T15:15:55.473

Link: CVE-2024-54026

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-07-13T01:01:18Z

Weaknesses

CWE-89

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object