CVE-2025-25256

CriticalRCE

Published: 12 August 2025

Published

12 August 2025

Modified

15 August 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.4659 97.7th percentile

Risk Priority 48 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25256 is a critical-severity OS Command Injection (CWE-78) vulnerability in Fortinet Fortisiem. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses OS command injection by requiring validation mechanisms at CLI input points to neutralize special elements before OS command execution.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation of the specific improper neutralization flaw in FortiSIEM CLI request handling to prevent exploitation.

SI-4 System Monitoring partial match

detect

Enables monitoring of system activities to identify unauthorized OS command executions resulting from crafted CLI injection attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Unauthenticated OS command injection (CWE-78) in FortiSIEM via crafted CLI requests on port 7900 enables remote code execution, directly facilitating exploitation of public-facing applications and remote services.

NVD Description

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiSIEM version 7.3.0 through 7.3.1, 7.2.0 through 7.2.5, 7.1.0 through 7.1.7, 7.0.0 through 7.0.3 and before 6.7.9 allows an unauthenticated attacker to…

execute unauthorized code or commands via crafted CLI requests.

Deeper analysisAI

CVE-2025-25256 is an improper neutralization of special elements used in an OS command, classified as an OS Command Injection vulnerability (CWE-78), affecting Fortinet FortiSIEM versions 7.3.0 through 7.3.1, 7.2.0 through 7.2.5, 7.1.0 through 7.1.7, 7.0.0 through 7.0.3, and all versions before 6.7.9. The flaw arises from inadequate handling of special elements in crafted CLI requests, enabling execution of unauthorized code or commands. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

An unauthenticated attacker with network access to the vulnerable FortiSIEM instance can exploit this vulnerability by sending specially crafted CLI requests. No user interaction or privileges are required, allowing remote exploitation with low complexity. Successful attacks enable arbitrary command execution on the underlying OS, resulting in high impacts to confidentiality, integrity, and availability, such as full system compromise.

Fortinet's advisory (FG-IR-25-152) provides details on the vulnerability. Additional coverage includes reporting from The Register and technical analysis from WatchTowr Labs, including a GitHub repository and blog post focused on the pre-authentication command injection in FortiSIEM. Security teams should review these resources for recommended patches and mitigation guidance.

Details

CWE(s): CWE-78

Affected Products

fortinet

fortisiem

5.4.0 — 6.7.10 · 7.0.0 — 7.0.4 · 7.1.0 — 7.1.8

CVEs Like This One

CVE-2025-64155Same product: Fortinet Fortisiem

CVE-2024-46667Same product: Fortinet Fortisiem

CVE-2023-40723Same product: Fortinet Fortisiem

CVE-2019-17659Same product: Fortinet Fortisiem

CVE-2025-66178Same vendor: Fortinet

CVE-2026-25836Same vendor: Fortinet

CVE-2024-50569Same vendor: Fortinet

CVE-2024-50566Same vendor: Fortinet

CVE-2026-39808Same vendor: Fortinet

CVE-2024-50567Same vendor: Fortinet

References

https://fortiguard.fortinet.com/psirt/FG-IR-25-152
Vendor Advisory · psirt@fortinet.com
https://www.theregister.com/2025/08/13/fortinet_discloses_critical_bug/
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://github.com/watchtowrlabs/watchTowr-vs-FortiSIEM-CVE-2025-25256
134c704f-9b21-4f2e-91b3-4a467353bcc0
https://labs.watchtowr.com/should-security-solutions-be-secure-maybe-were-all-wrong-fortinet-fortisiem-pre-auth-command-injection-cve-2025-25256/
134c704f-9b21-4f2e-91b3-4a467353bcc0