PSIRTArbitrary directory delete on vmimages delete feature
Summary
An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in FortiSandbox, FortiSandbox Cloud, FortiSandbox PaaS and FortiSandbox Cloud WEB UI may allow a privileged attacker with super-admin profile and CLI access to delete an arbitrary directory via HTTP crafted requests.
| Version | Affected | Solution |
|---|---|---|
| FortiSandbox 5.2 | Not affected | Not Applicable |
| FortiSandbox 5.0 | 5.0.0 through 5.0.5 | Upgrade to 5.0.6 or above |
| FortiSandbox 4.4 | 4.4.0 through 4.4.8 | Upgrade to 4.4.9 or above |
| FortiSandbox 4.2 | 4.2 all versions | Migrate to a fixed release |
| FortiSandbox Cloud 24 | Not affected | Not Applicable |
| FortiSandbox Cloud 23 | Not affected | Not Applicable |
| FortiSandbox Cloud 5.0 | 5.0.4 | Fortinet remediated this issue in 5.0.5 and hence customers do not need to perform any action. |
| FortiSandbox Cloud 4.4 | Not affected | Not Applicable |
| FortiSandbox Cloud 4.2 | Not affected | Not Applicable |
| FortiSandbox PaaS 5.0 | 5.0.4 | Upgrade to 5.0.5 or above |
| FortiSandbox PaaS 4.4 | Not affected | Not Applicable |
| FortiSandbox PaaS 4.2 | Not affected | Not Applicable |
Acknowledgement
Internally discovered and reported by Adham El karn of Fortinet Product Security team.Timeline
2026-04-14: Initial publication