Fortinet warns customers about Fortisiem’s critical security flaws that say exploitation exists in the wild.
The vulnerability tracked as CVE-2025-25256 has a CVSS score of 9.8 out of a maximum of 10.0.
Inappropriate neutralization of special elements used in “OS commands (“OS command injection”) vulnerabilities [CWE-78] “Fortisiem may allow unrecognized attackers to execute malicious code or commands via created CLI requests,” the company said in its recommendation on Tuesday.
The next version is affected by the defect –
Fortisiem 6.1, 6.2, 6.3, 6.4, 6.5, 6.6 (Move to fixed releases) fortisiem 6.7.0 to 6.7.9 (Upgraded to 6.7.10 or later) 7.0.0 to 7.0.3 (Upgraded to 7.0.4 or later) Fortisiem 7.1.0 to 7.1.7 (Upgraded to 7.2.6 or higher) Fortisiem 7.3.0 to 7.3.1 (Upgraded to 7.3.2 or higher) Fortisiem 7.4 (Unaffected)
Fortinet admitted in its recommendation that “practical exploit code for this vulnerability was found in the wild,” but did not share additional details about the nature of the exploit and where it was found. We also noted that exploitation codes do not appear to generate distinctive indicators (IOCs) of compromise.
As a workaround, network security companies recommend that organizations restrict access to the Phmonitor port (7900).
The disclosure comes a day after Greynoise warned of “severe spikes” in brute force traffic targeting Fortinet SSL VPN devices, with dozens of IP addresses from Dutch probe devices across the US, Canada, Russia and around the world.
Source link
