Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (fortinet) · only source for this CVE.
CVSS VectorVendor: fortinet
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An Internal Asset Exposed to Unsafe Debug Access Level or State vulnerability [CWE-1244] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.2, FortiOS 7.4.0 through 7.4.7, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0 all versions may allow an authenticated admin to execute lua scripts via crafted CLI commands.
AnalysisAI
Fortinet FortiOS and FortiProxy expose an internal debug interface (CWE-1244) that allows authenticated administrators to execute arbitrary Lua scripts through crafted CLI commands, exceeding their intended administrative scope. The vulnerability spans broad version ranges of both products, including FortiOS 6.4 through 7.6.2 and FortiProxy 7.0 through 7.6.3. While exploitation requires existing high-privilege (admin) access - limiting opportunistic attack surface - the CVSS temporal vector (E:P) confirms a proof-of-concept exploit exists, and the official fix is available (RL:O). No public exploit identified at time of analysis beyond the proof-of-concept, and this vulnerability is not listed in CISA KEV.
Technical ContextAI
CWE-1244 ('Internal Asset Exposed to Unsafe Debug Access Level or State') describes a class of vulnerabilities where debug or test interfaces - typically intended only for development or factory use - remain accessible in production firmware, exposing capabilities beyond what the normal operational interface is supposed to permit. In FortiOS and FortiProxy, the Lua scripting engine (used internally for automation and testing) is reachable via specially crafted CLI commands by an administrator. This means an admin who should only have access to standard management operations can invoke a Lua interpreter at a privileged system level, effectively bypassing the intended capability boundary. Affected CPEs are cpe:2.3:a:fortinet:fortios and cpe:2.3:a:fortinet:fortiproxy across the version ranges specified. The CVSS local attack vector (AV:L) confirms this requires CLI or console-level access to the device, not a remote network path.
RemediationAI
Patch available per vendor advisory (official fix confirmed by RL:O CVSS temporal metric) - consult the Fortinet PSIRT advisory at https://fortiguard.fortinet.com/psirt/FG-IR-26-143 for exact fixed versions for each affected FortiOS and FortiProxy branch, as specific patch version numbers were not provided in the available intelligence. As a compensating control where immediate patching is not feasible, restrict CLI and management console access to the minimum required administrator accounts using Fortinet's administrative access controls and trusted host restrictions. Enabling detailed CLI audit logging can help detect exploitation attempts. Disabling or removing unnecessary admin accounts reduces exposure to compromised credential scenarios. Note that these controls reduce risk but do not remediate the underlying debug interface exposure - patching remains the definitive fix.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0
Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before 4.1.11, 4.2.x before 4.2.13, and 4.3.x before 4.3.9
Cross-site scripting (XSS) vulnerability in the sslvpn login page in Fortinet FortiOS 5.2.x before 5.2.3 allows remote a
FortiOS and FortiProxy contain an authentication bypass allowing unauthenticated attackers with knowledge of upstream/do
Arbitrary file write and folder deletion in Fortinet FortiManager, FortiOS, and FortiProxy is possible via a path traver
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 an
A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0
A buffer underwrite ('buffer underflow') vulnerability in the administrative interface of Fortinet FortiOS version 7.2.0
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to Execute unauthor
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6.0 and earlier allows attackers to execute unauthor
A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4.0 through 5.4.4 and 5.6.0 allows attackers to exec
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210085
GHSA-h6fm-ggmr-98gx