Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Unauthenticated network access to an exposed VNC service (AV:N/AC:L/PR:N) yields high confidentiality exposure of analysis sessions with limited integrity/availability impact via possible VM interaction.
Primary rating from Vendor (fortinet).
CVSS VectorVendor: fortinet
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
6DescriptionCVE.org
A exposure of resource to wrong sphere vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.3 through 4.4.8 may allow an unauthenticated attacker to access the VNC server of VMs performing scanning via network requests.
Articles & Coverage 1
AnalysisAI
Exposure of a scanning VM's VNC service in Fortinet FortiSandbox 5.0.0-5.0.2 and 4.4.3-4.4.8 lets an unauthenticated remote attacker reach the VNC server of the sandbox virtual machines used for malware detonation via ordinary network requests. Because these VMs run and observe live malware samples, unauthorized VNC access can expose sensitive analysis sessions and potentially allow interaction with the detonation environment. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The exploit requires an attacker to have a network path to the FortiSandbox appliance's exposed VNC service belonging to the scanning VMs, and the appliance must be running an affected build (5.0.0-5.0.2 or 4.4.3-4.4.8). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L, base 8.6) indicates a low-complexity, network-reachable, unauthenticated attack with high confidentiality impact and lesser integrity/availability impact - a genuinely serious exposure if the appliance's VNC path is reachable from an attacker-controlled network. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reachability to a FortiSandbox appliance sends crafted network requests to connect directly to the VNC server backing a scanning VM, without any credentials. Once connected, they can observe the live malware-detonation desktop session and potentially interact with the analysis environment, harvesting sensitive sample data or tampering with the sandbox verdict. … |
| Remediation | Patch available per vendor advisory FG-IR-26-145 (https://fortiguard.fortinet.com/psirt/FG-IR-26-145) - upgrade FortiSandbox to a fixed release above the affected 5.0.2 and 4.4.8 branches as directed by Fortinet; the input data does not include an exact fixed version number, so confirm the target build directly from the advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all FortiSandbox instances running versions 4.4.3-4.4.8 or 5.0.0-5.0.2 and document current network exposure and usage patterns. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Fortisandbox
View allPath traversal in Fortinet FortiSandbox 4.4.0-4.4.8 and 5.0.0-5.0.5 enables remote unauthenticated attackers to achieve
Remote code execution in Fortinet FortiSandbox 4.4.x through 5.0.x (on-premises, Cloud, and PaaS deployments) allows una
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerabi
A client-side enforcement of server-side security vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandb
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet F
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet F
Multiple instances of heap-based buffer overflow in the command shell of FortiSandbox before 4.0.0 may allow an authenti
An improper neutralization of special elements used in an OS Command vulnerability in FortiSandbox 3.2.0 through 3.2.2,
An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiS
A Use of Hard-coded Cryptographic Key vulnerability [CWE-321] in FortiSandbox version 4.4.6 and below, version 4.2.7 and
A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox
A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox
Same weakness CWE-668 – Exposure of Resource to Wrong Sphere
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43710
GHSA-8fjf-5954-r8w4