{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2025-031.pdf"
    },
    "title": "Multiple Vulnerabilities in Fortinet Products",
    "serial_number": "2025-031",
    "publish_date": "13-08-2025 10:13:27",
    "description": "On August 12, 2025, Fortinet released security advisories addressing several vulnerabilities, including a critical one exploited in the wild, and two high severity ones.<br>\nIt is recommended updating as soon as possible.<br>\n",
    "url_title": "2025-031",
    "content_markdown": "---    \ntitle: 'Multiple Vulnerabilities in\u00a0Fortinet\u00a0Products'\nnumber: '2025-031'\nversion: '1.0'\noriginal_date: '2025-08-12'\ndate: '2025-08-13'\n---\n\n_History:_\n\n* _13/08/2025 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn August 12, 2025, Fortinet released security advisories addressing several vulnerabilities, including a critical one **exploited in the wild**, and two high severity ones.\n\nIt is recommended updating as soon as possible.\n\n# Technical Details\n\nThe vulnerability **CVE-2025-25256**, with a CVSS score of 9.8, is due to improper neutralisation of special elements used in an OS command and allows a remote unauthenticated attacker to execute unauthorised code or commands via crafted CLI requests. The vulnerability is known to be exploited in the wild [1].\n\nThe vulnerability **CVE-2024-26009**, with a CVSS score of 7.9, is an authentication bypass using an alternate path or channel vulnerability and may allow an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager's serial number [2].\n\nThe vulnerability **CVE-2025-52970**, with a CVSS score of 7.7, is due to improper handling of parameters and allows an unauthenticated remote attacker in possession of non-public information (pertaining to both the device and to the targeted user) to log in as any existing user on the device via a specially crafted request [3].\n\n# Affected Products\n\nThe vulnerability **CVE-2025-25256** affects the following versions of FortiSIEM:\n\n- 7.3.0 through 7.3.1\n- 7.2.0 through 7.2.5\n- 7.1.0 through 7.1.7\n- 7.0.0 through 7.0.3\n- 6.7.0 through 6.7.9\n- 6.6, 6.5, 6.4, 6.3, 6.2 and 6.1\n- 5.4\n\nThe vulnerability **CVE-2024-26009** affects the following versions of FortiWeb:\n\n- 7.6.0 through 7.6.3\n- 7.4.0 through 7.4.7\n- 7.2.0 through 7.2.10\n- 7.0.0 through 7.0.10\n\nThe vulnerability **CVE-2025-52970** affects the following versions FortiOS, FortiPAM, FortiProxy and FortSwitch Manager:\n\n- FortiOS 6.4.0 through 6.4.15\n- FortiOS 6.2.0 through 6.2.16\n- FortiOS 6.0 all versions\n- FortiPAM 1.2 all versions\n- FortiPAM 1.1 all versions\n- FortiPAM 1.0 all versions\n- FortiProxy 7.4.0 through 7.4.2\n- FortiProxy 7.2.0 through 7.2.8\n- FortiProxy 7.0.0 through 7.0.15\n- FortiSwitchManager 7.2.0 through 7.2.3\n- FortiSwitchManager 7.0.0 through 7.0.3\n\n# Recommendations\n\nIt is recommended updating vulnerable products as soon as possible.\n\n## Workaround\n\nTo mitigate the vulnerability **CVE-2025-25256**, it is possible to limit access to the `phMonitor` port (7900) of FortiSIEM.\n\n# References\n\n[1] <https://www.fortiguard.com/psirt/FG-IR-25-152>\n\n[2] <https://www.fortiguard.com/psirt/FG-IR-24-042>\n\n[3] <https://www.fortiguard.com/psirt/FG-IR-25-448>",
    "content_html": "<p><em>History:</em></p><ul><li><em>13/08/2025 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On August 12, 2025, Fortinet released security advisories addressing several vulnerabilities, including a critical one <strong>exploited in the wild</strong>, and two high severity ones.</p><p>It is recommended updating as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2025-25256</strong>, with a CVSS score of 9.8, is due to improper neutralisation of special elements used in an OS command and allows a remote unauthenticated attacker to execute unauthorised code or commands via crafted CLI requests. The vulnerability is known to be exploited in the wild [1].</p><p>The vulnerability <strong>CVE-2024-26009</strong>, with a CVSS score of 7.9, is an authentication bypass using an alternate path or channel vulnerability and may allow an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager's serial number [2].</p><p>The vulnerability <strong>CVE-2025-52970</strong>, with a CVSS score of 7.7, is due to improper handling of parameters and allows an unauthenticated remote attacker in possession of non-public information (pertaining to both the device and to the targeted user) to log in as any existing user on the device via a specially crafted request [3].</p><h2 id=\"affected-products\">Affected Products</h2><p>The vulnerability <strong>CVE-2025-25256</strong> affects the following versions of FortiSIEM:</p><ul><li>7.3.0 through 7.3.1</li><li>7.2.0 through 7.2.5</li><li>7.1.0 through 7.1.7</li><li>7.0.0 through 7.0.3</li><li>6.7.0 through 6.7.9</li><li>6.6, 6.5, 6.4, 6.3, 6.2 and 6.1</li><li>5.4</li></ul><p>The vulnerability <strong>CVE-2024-26009</strong> affects the following versions of FortiWeb:</p><ul><li>7.6.0 through 7.6.3</li><li>7.4.0 through 7.4.7</li><li>7.2.0 through 7.2.10</li><li>7.0.0 through 7.0.10</li></ul><p>The vulnerability <strong>CVE-2025-52970</strong> affects the following versions FortiOS, FortiPAM, FortiProxy and FortSwitch Manager:</p><ul><li>FortiOS 6.4.0 through 6.4.15</li><li>FortiOS 6.2.0 through 6.2.16</li><li>FortiOS 6.0 all versions</li><li>FortiPAM 1.2 all versions</li><li>FortiPAM 1.1 all versions</li><li>FortiPAM 1.0 all versions</li><li>FortiProxy 7.4.0 through 7.4.2</li><li>FortiProxy 7.2.0 through 7.2.8</li><li>FortiProxy 7.0.0 through 7.0.15</li><li>FortiSwitchManager 7.2.0 through 7.2.3</li><li>FortiSwitchManager 7.0.0 through 7.0.3</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended updating vulnerable products as soon as possible.</p><h3 id=\"workaround\">Workaround</h3><p>To mitigate the vulnerability <strong>CVE-2025-25256</strong>, it is possible to limit access to the <code>phMonitor</code> port (7900) of FortiSIEM.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.fortiguard.com/psirt/FG-IR-25-152\">https://www.fortiguard.com/psirt/FG-IR-25-152</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.fortiguard.com/psirt/FG-IR-24-042\">https://www.fortiguard.com/psirt/FG-IR-24-042</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.fortiguard.com/psirt/FG-IR-25-448\">https://www.fortiguard.com/psirt/FG-IR-25-448</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}