FortiSandbox - Predictable session IDs of JSON API


An instance of small space of random values in FortiSandbox RPC API may allow an attacker in possession of a few information pieces about the state of the device to possibly predict valid session IDs.

Affected Products

FortiSandbox version 3.2.2 and below.
FortiSandbox version 3.1.4 and below.


Upgrade to FortiSandbox version 4.0.0.

Upgrade to FortiSandbox version 3.2.3.


Internally discovered and reported by Giuseppe Cocomazzi of Fortinet PSIRT.