CVE-2023-41682 in FortiSandbox
Summary
by MITRE • 10/25/2023
A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 4.4.0, FortiSandbox 4.2.1 through 4.2.5, FortiSandbox 4.0.0 through 4.0.3, FortiSandbox 3.2 all versions, FortiSandbox 3.1 all versions, FortiSandbox 3.0 all versions, FortiSandbox 2.5 all versions, FortiSandbox 2.4 all versions allows attacker to denial of service via crafted http requests.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/14/2026
The vulnerability identified as CVE-2023-41682 represents a critical path traversal flaw affecting multiple versions of Fortinet FortiSandbox appliances. This weakness stems from improper validation of file paths in the web interface, specifically within the handling of HTTP requests that process file uploads or file access operations. The vulnerability manifests when the application fails to adequately sanitize user-supplied input that contains directory traversal sequences such as '../' or similar patterns, allowing attackers to manipulate file system access beyond intended boundaries.
The technical implementation of this vulnerability resides in the application's file handling mechanisms where HTTP request parameters containing file paths are processed without sufficient validation or normalization. When an attacker crafts malicious HTTP requests with specially formatted path sequences, the FortiSandbox application interprets these inputs as legitimate file system navigation commands rather than malicious payloads. This misinterpretation occurs at the application layer where input validation should enforce strict boundaries on allowable file system operations, particularly in contexts involving file upload, download, or access controls.
The operational impact of this vulnerability extends to potential denial of service conditions that can severely disrupt the functionality of the FortiSandbox appliance. Attackers can leverage this path traversal capability to access restricted system files, potentially leading to information disclosure, system compromise, or complete service disruption. The vulnerability affects a wide range of FortiSandbox versions spanning from 2.4 to 4.4, indicating a long-standing issue that has persisted across multiple releases, suggesting inadequate input validation mechanisms throughout the product lifecycle. The denial of service aspect occurs when crafted requests cause the application to process invalid paths, potentially leading to resource exhaustion or application crashes that prevent legitimate users from accessing the sandboxing functionality.
Security controls and mitigations for this vulnerability should focus on implementing robust input validation mechanisms that sanitize all user-supplied file path parameters before processing. Organizations should deploy web application firewalls that can detect and block malicious path traversal patterns, while also ensuring that the FortiSandbox appliances are updated to patched versions that address this specific weakness. The vulnerability aligns with CWE-22, which specifically addresses improper limitation of a pathname to a restricted directory, and represents a clear violation of secure coding practices that should prevent arbitrary file system access. From an ATT&CK framework perspective, this vulnerability maps to technique T1059.007 for command and scripting interpreter and T1499.004 for network disruption, as it enables attackers to potentially gain unauthorized access to system resources and cause service availability issues. The affected versions indicate that this represents a persistent flaw requiring immediate remediation across all supported FortiSandbox deployments to prevent exploitation and maintain the integrity of the sandboxing environment.