CVE-2025-67685
📋 TL;DR
This SSRF vulnerability in Fortinet FortiSandbox allows authenticated attackers to proxy internal requests to plaintext endpoints via crafted HTTP requests. It affects FortiSandbox versions 4.0, 4.2, 4.4, and 5.0.0 through 5.0.4. Attackers must have valid authentication credentials to exploit this vulnerability.
💻 Affected Systems
- Fortinet FortiSandbox
📦 What is this software?
Fortisandbox by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could use the FortiSandbox as a proxy to access internal plaintext services, potentially exposing sensitive internal systems or data.
Likely Case
Limited internal reconnaissance or data exfiltration from plaintext HTTP services accessible from the FortiSandbox appliance.
If Mitigated
Minimal impact if network segmentation restricts FortiSandbox access to sensitive internal systems and proper authentication controls are enforced.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of internal plaintext endpoints to target.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiSandbox 5.0.5 and later
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-783
Restart Required: Yes
Instructions:
1. Download FortiSandbox 5.0.5 or later from Fortinet support portal. 2. Backup current configuration. 3. Apply firmware update via web interface or CLI. 4. Reboot appliance after update completes.
🔧 Temporary Workarounds
Restrict Network Access
allImplement network segmentation to limit FortiSandbox access to only required internal services
Enforce Strong Authentication
allImplement multi-factor authentication and strong password policies for FortiSandbox access
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FortiSandbox from sensitive internal systems
- Monitor FortiSandbox logs for unusual HTTP request patterns to internal addresses
🔍 How to Verify
Check if Vulnerable:
Check FortiSandbox version via web interface (System > Dashboard) or CLI command 'get system status'Check Version:
get system status | grep VersionVerify Fix Applied:
Verify version is 5.0.5 or later after patching and test SSRF attempts are blocked📡 Detection & Monitoring
Log Indicators:
- HTTP requests from FortiSandbox to internal plaintext endpoints
- Unusual authentication patterns to FortiSandbox
Network Indicators:
- FortiSandbox making HTTP requests to unexpected internal addresses
- Proxy-like traffic patterns from FortiSandbox
SIEM Query:
source="fortisandbox" AND (http_request.method="GET" OR http_request.method="POST") AND http_request.uri CONTAINS "http://" AND NOT http_request.uri CONTAINS "expected-domain.com"