Cyber Resilience

CVE-2025-25256

CriticalRCE

Published: 12 August 2025

Published
12 August 2025
Modified
15 August 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5132 97.9th percentile
Risk Priority 50 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25256 is a critical-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortisiem. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-25256 is an OS command injection vulnerability (CWE-78) present in Fortinet FortiSIEM versions 7.3.0 through 7.3.1, 7.2.0 through 7.2.5, 7.1.0 through 7.1.7, 7.0.0 through 7.0.3, and all releases prior to 6.7.9. The flaw stems from improper neutralization of special elements in CLI requests, enabling remote code execution without authentication.

An unauthenticated attacker can send crafted CLI requests over the network to execute arbitrary operating-system commands on the affected FortiSIEM instance. Successful exploitation grants full control over the target system, including the ability to read, modify, or delete data and to pivot within the monitored environment, consistent with the CVSS 9.8 rating reflecting network-accessible attack complexity with no required privileges or user interaction.

Fortinet’s advisory FG-IR-25-152 recommends immediate upgrade to a fixed release and provides mitigation guidance for organizations unable to patch promptly. Public technical analysis from watchTowr Labs includes a proof-of-concept repository demonstrating the injection vector, and the issue received coverage in security press shortly after disclosure on 12 August 2025. The associated EPSS score of 0.5132 indicates substantial exploitation interest.

EU & UK References

Vulnerability details

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiSIEM version 7.3.0 through 7.3.1, 7.2.0 through 7.2.5, 7.1.0 through 7.1.7, 7.0.0 through 7.0.3 and before 6.7.9 allows an unauthenticated attacker to…

more

execute unauthorized code or commands via crafted CLI requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Unauthenticated OS command injection (CWE-78) in FortiSIEM via crafted CLI requests on port 7900 enables remote code execution, directly facilitating exploitation of public-facing applications and remote services.

CVEs Like This One

CVE-2025-64155Same product: Fortinet Fortisiem
CVE-2024-46667Same product: Fortinet Fortisiem
CVE-2023-40723Same product: Fortinet Fortisiem
CVE-2019-17659Same product: Fortinet Fortisiem
CVE-2024-40584Same vendor: Fortinet
CVE-2024-50566Same vendor: Fortinet
CVE-2024-52961Same vendor: Fortinet
CVE-2025-58034Same vendor: Fortinet
CVE-2026-39808Same vendor: Fortinet
CVE-2024-50567Same vendor: Fortinet

Affected Assets

fortinet
fortisiem
5.4.0 — 6.7.10 · 7.0.0 — 7.0.4 · 7.1.0 — 7.1.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses OS command injection by requiring validation mechanisms at CLI input points to neutralize special elements before OS command execution.

prevent

Ensures timely remediation of the specific improper neutralization flaw in FortiSIEM CLI request handling to prevent exploitation.

detect

Enables monitoring of system activities to identify unauthorized OS command executions resulting from crafted CLI injection attempts.

References