CVE-2025-67862 Overview
CVE-2025-67862 is an Internal Asset Exposed to Unsafe Debug Access Level or State vulnerability [CWE-1244] affecting Fortinet FortiOS and FortiProxy. The flaw allows an authenticated administrator to execute Lua scripts through crafted command-line interface (CLI) commands. Fortinet tracks the issue under advisory FG-IR-26-143. The vulnerability requires high privileges and local access, but successful exploitation results in high impact to confidentiality, integrity, and availability of the affected appliance.
Critical Impact
An authenticated administrator can leverage unsafe debug access to execute arbitrary Lua scripts on FortiOS and FortiProxy devices, potentially expanding control beyond the intended CLI command surface.
Affected Products
- Fortinet FortiOS 7.6.0 through 7.6.2, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16, and all 6.4 versions
- Fortinet FortiProxy 7.6.0 through 7.6.3, 7.4.0 through 7.4.10, 7.2.0 through 7.2.14, and all 7.0 versions
- Fortinet network security appliances running the listed firmware
Discovery Timeline
- 2026-06-09 - CVE-2025-67862 published to the National Vulnerability Database (NVD)
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2025-67862
Vulnerability Analysis
The vulnerability stems from an internal debug interface that remains accessible from the administrator CLI in shipping firmware. An authenticated admin can issue crafted CLI commands that route input into an embedded Lua interpreter. Because the interpreter is not intended to be reachable from the production CLI, scripts executed through this path operate outside the standard command authorization model. Lua execution in this context can read sensitive configuration, alter device state, and influence the integrity of the security appliance.
Root Cause
The weakness is classified under [CWE-1244]: an internal asset is exposed to an unsafe debug access level. The Lua scripting capability used for vendor diagnostics was not gated from the standard administrative CLI in the affected releases. The condition is present across multiple FortiOS and FortiProxy branches, indicating a long-lived debug surface that was not removed before release.
Attack Vector
Exploitation requires authenticated access with administrator privileges on the device. The attacker uses local CLI access, either through SSH, console, or the web-based CLI console. Crafted commands invoke the Lua execution path, allowing the attacker to run arbitrary script logic on the appliance. The attack does not require user interaction and operates within a single security scope on the device.
No verified proof-of-concept code is published. The Fortinet advisory FG-IR-26-143 is the authoritative technical reference. See the Fortinet Security Advisory FG-IR-26-143 for vendor details.
Detection Methods for CVE-2025-67862
Indicators of Compromise
- Administrator CLI sessions issuing unusual or undocumented diagnostic commands that reference Lua or debug subsystems
- Unexpected configuration changes following an admin session on FortiOS or FortiProxy devices
- Outbound connections from the appliance management plane that do not match approved update or telemetry destinations
Detection Strategies
- Forward FortiOS and FortiProxy event and audit logs to a central log platform and alert on rare CLI command strings used by admin accounts
- Baseline normal administrator command patterns and flag deviations such as uncommon diagnostic verbs or syntax
- Correlate admin authentication events with subsequent configuration or system-state changes to identify abuse of privileged sessions
Monitoring Recommendations
- Enable CLI command auditing on all FortiOS and FortiProxy devices and ship logs off-box in near real time
- Monitor admin account usage patterns, including source IPs, session times, and command frequency
- Track firmware versions across the fleet and alert on devices running versions listed in FG-IR-26-143
How to Mitigate CVE-2025-67862
Immediate Actions Required
- Inventory all FortiOS and FortiProxy devices and identify systems running affected versions
- Apply the fixed firmware releases identified in FG-IR-26-143 according to the vendor upgrade path
- Restrict administrative CLI access to a small set of trusted management hosts and require multi-factor authentication for admin accounts
- Review admin account inventory and remove unused or shared administrator credentials
Patch Information
Fortinet has published security advisory FG-IR-26-143 with fixed version information for FortiOS and FortiProxy. Administrators should consult the Fortinet Security Advisory FG-IR-26-143 for the specific upgrade targets that resolve CVE-2025-67862.
Workarounds
- Limit management plane exposure by binding administrative services to dedicated management interfaces only
- Enforce trusthost restrictions on administrator profiles so that admin logins are accepted only from specific source addresses
- Rotate administrator credentials and audit all privileged accounts for signs of misuse prior to patching
# Example: restrict admin access by source on FortiOS
config system admin
edit "admin"
set trusthost1 10.0.0.0 255.255.255.0
set accprofile "super_admin"
next
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

