CVE-2025-64153

HIGH

FortiExtender Firmware 7.0.0-7.0.3, 7.2.0-7.2.x, 7.4.0-7.4.7, 7.6.0-7.6.3 - OS Command Injection

Title source: llm
STIX 2.1

Description

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.6.0 through 7.6.3, FortiExtender 7.4.0 through 7.4.7, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated attacker to execute unauthorized code or commands via a specific HTTP request.

References (1)

Core 1
Core References

Scores

CVSS v3 7.2
EPSS 0.0158
EPSS Percentile 72.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (1)
fortinet/fortiextender_firmware 7.0.0 - 7.0.4
Published Dec 09, 2025
Tracked Since Feb 18, 2026