CVE-2025-25256
Published: 12 August 2025
Summary
CVE-2025-25256 is a critical-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortisiem. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-25256 is an OS command injection vulnerability (CWE-78) present in Fortinet FortiSIEM versions 7.3.0 through 7.3.1, 7.2.0 through 7.2.5, 7.1.0 through 7.1.7, 7.0.0 through 7.0.3, and all releases prior to 6.7.9. The flaw stems from improper neutralization of special elements in CLI requests, enabling remote code execution without authentication.
An unauthenticated attacker can send crafted CLI requests over the network to execute arbitrary operating-system commands on the affected FortiSIEM instance. Successful exploitation grants full control over the target system, including the ability to read, modify, or delete data and to pivot within the monitored environment, consistent with the CVSS 9.8 rating reflecting network-accessible attack complexity with no required privileges or user interaction.
Fortinet’s advisory FG-IR-25-152 recommends immediate upgrade to a fixed release and provides mitigation guidance for organizations unable to patch promptly. Public technical analysis from watchTowr Labs includes a proof-of-concept repository demonstrating the injection vector, and the issue received coverage in security press shortly after disclosure on 12 August 2025. The associated EPSS score of 0.5132 indicates substantial exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24462
Vulnerability details
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiSIEM version 7.3.0 through 7.3.1, 7.2.0 through 7.2.5, 7.1.0 through 7.1.7, 7.0.0 through 7.0.3 and before 6.7.9 allows an unauthenticated attacker to…
more
execute unauthorized code or commands via crafted CLI requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated OS command injection (CWE-78) in FortiSIEM via crafted CLI requests on port 7900 enables remote code execution, directly facilitating exploitation of public-facing applications and remote services.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses OS command injection by requiring validation mechanisms at CLI input points to neutralize special elements before OS command execution.
Ensures timely remediation of the specific improper neutralization flaw in FortiSIEM CLI request handling to prevent exploitation.
Enables monitoring of system activities to identify unauthorized OS command executions resulting from crafted CLI injection attempts.