CVE-2025-25256 | An improper neutralization of special elements used in an OS… | CVSS 9.8 CRITICAL

Description

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiSIEM version 7.3.0 through 7.3.1, 7.2.0 through 7.2.5, 7.1.0 through 7.1.7, 7.0.0 through 7.0.3 and before 6.7.9 allows an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests.

Metadata

CVE ID: CVE-2025-25256
State: PUBLISHED
Assigner: fortinet
Reserved: 2025-02-05 13:31 UTC
Published: 2025-08-12 18:59 UTC
Last updated: 2026-02-26 17:48 UTC
Primary CWE: CWE-78
Escalation of privilege
Vendor / Product: Fortinet / FortiSIEM
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:X/RC:C

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Fortinet	FortiSIEM	—	7.3.0 ≤ 7.3.1, 7.2.0 ≤ 7.2.5, 7.1.0 ≤ 7.1.7, 7.0.0 ≤ 7.0.3 …

Weakness (CWE)

CWE	Source	Description
CWE-78	cna	Escalation of privilege

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:X/RC:C

References (1)

https://fortiguard.fortinet.com/psirt/FG-IR-25-152 https://fortiguard.fortinet.com/psirt/FG-IR-25-152