CVE-2025-25256

CRITICAL EXPLOITED NUCLEI

Fortinet FortiSIEM - OS Command Injection

Title source: nuclei

Exploitation Summary

CVE-2025-25256 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including watchtowrlabs. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a Python script that exploits CVE-2025-25256, an unauthenticated remote command execution vulnerability in FortiSIEM. The script crafts a malicious XML payload and sends it to the target via SSL socket to trigger command execution.

Description

An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiSIEM version 7.3.0 through 7.3.1, 7.2.0 through 7.2.5, 7.1.0 through 7.1.7, 7.0.0 through 7.0.3 and before 6.7.9 allows an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests.

Exploits (1)

nomisec WORKING POC 18 stars

by watchtowrlabs · remote

https://github.com/watchtowrlabs/watchTowr-vs-FortiSIEM-CVE-2025-25256

View Code ZIP pw:eip

This repository contains a Python script that exploits CVE-2025-25256, an unauthenticated remote command execution vulnerability in FortiSIEM. The script crafts a malicious XML payload and sends it to the target via SSL socket to trigger command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: FortiSIEM (versions 6.1-7.3.1, excluding 7.4)

No auth needed

Prerequisites: Network access to target's port 7900

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Fortinet FortiSIEM - OS Command Injection

CRITICALby watchtowr,darses

Shodan: http.favicon.hash:-1341442175 || http.html:"var hst = location.hostname"

FOFA: icon_hash="-1341442175" || body="var hst = location.hostname"

References (4)

Core 4

Core References

Various Sources

https://github.com/watchtowrlabs/watchTowr-vs-FortiSIEM-CVE-2025-25256

Various Sources

https://labs.watchtowr.com/should-security-solutions-be-secure-maybe-were-all-wrong-fortinet-fortisiem-pre-auth-command-injection-cve-2025-25256/

Vendor Advisory

https://fortiguard.fortinet.com/psirt/FG-IR-25-152

Third Party Advisory

https://www.theregister.com/2025/08/13/fortinet_discloses_critical_bug/

Scores

CVSS v3 9.8

EPSS 0.5132

EPSS Percentile 98.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-08-12

CWE

CWE-78

Status published

Products (1)

fortinet/fortisiem 5.4.0 - 6.7.10

Published Aug 12, 2025

Tracked Since Feb 18, 2026