Fortinet has disclosed a Server-Side Request Forgery (SSRF) vulnerability in its FortiSandbox appliance, urging customers to update immediately to prevent potential internal traffic exposure.
The flaw, tracked as CVE-2025-67685 (FG-IR-25-783), was announced on January 13, 2026, and affects older versions of FortiSandbox. While rated low severity with a CVSS v3 score of 3.4, the vulnerability could allow attackers with high-privilege access to proxy internal HTTP requests via crafted inputs.
Vulnerability Details
- CVE ID: CVE-2025-67685
- Description: SSRF in GUI component enabling internal traffic proxying
- CVSS Score: 3.4 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N)
- Root Cause: Improper input validation (CWE-918)
- Attack Requirements: Authenticated, high-privilege access
- Impact: Proxying internal plaintext endpoints, potential metadata leakage
The flaw resides in the GUI console, allowing attackers to forge HTTP requests to localhost or internal IPs over HTTP/HTTPS. While exploitation requires admin-level credentials, the vulnerability could expose sensitive internal services in air-gapped or segmented environments.
Exploitation Risk and Discovery
Fortinet confirmed no evidence of active exploitation as of publication. The vulnerability was responsibly disclosed by Jason McFadyen of Trend Micro’s Zero Day Initiative.
Although the blast radius is limited to non-TLS endpoints, proxying could enable further pivots in misconfigured setups, especially if internal services lack authentication.
Affected Versions and Fixes
| Version Branch | Affected Releases | Solution |
|---|---|---|
| 5.0 | 5.0.0 through 5.0.4 | Upgrade to 5.0.5+ |
| 4.4 | All versions | Migrate to fixed release |
| 4.2 | All versions | Migrate to fixed release |
| 4.0 | All versions | Migrate to fixed release |
Fortinet recommends immediate upgrades via the FortiGuard portal. Organizations running legacy FortiSandbox 4.x should prioritize migration as end-of-support approaches.
Security Recommendations
- Upgrade to FortiSandbox 5.0.5 or later (preferably latest release)
- Audit GUI logs for anomalous internal fetches since January 2026
- Restrict admin access and enforce MFA
- Review internal service exposure and apply segmentation best practices
Why This Matters
While CVE-2025-67685 is low severity, SSRF vulnerabilities can serve as stepping stones for lateral movement, especially in environments with weak internal security controls. Organizations should treat this as a preventive patching priority to avoid future exploitation scenarios.
