Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-67862

CVE-2025-67862: Fortinet FortiOS RCE Vulnerability

CVE-2025-67862 is a remote code execution vulnerability in Fortinet FortiOS and FortiProxy allowing authenticated admins to execute Lua scripts via CLI commands. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-67862 Overview

CVE-2025-67862 is an Internal Asset Exposed to Unsafe Debug Access Level or State vulnerability [CWE-1244] affecting Fortinet FortiOS and FortiProxy. The flaw allows an authenticated administrator to execute Lua scripts through crafted command-line interface (CLI) commands. Fortinet tracks the issue under advisory FG-IR-26-143. The vulnerability requires high privileges and local access, but successful exploitation results in high impact to confidentiality, integrity, and availability of the affected appliance.

Critical Impact

An authenticated administrator can leverage unsafe debug access to execute arbitrary Lua scripts on FortiOS and FortiProxy devices, potentially expanding control beyond the intended CLI command surface.

Affected Products

  • Fortinet FortiOS 7.6.0 through 7.6.2, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16, and all 6.4 versions
  • Fortinet FortiProxy 7.6.0 through 7.6.3, 7.4.0 through 7.4.10, 7.2.0 through 7.2.14, and all 7.0 versions
  • Fortinet network security appliances running the listed firmware

Discovery Timeline

  • 2026-06-09 - CVE-2025-67862 published to the National Vulnerability Database (NVD)
  • 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2025-67862

Vulnerability Analysis

The vulnerability stems from an internal debug interface that remains accessible from the administrator CLI in shipping firmware. An authenticated admin can issue crafted CLI commands that route input into an embedded Lua interpreter. Because the interpreter is not intended to be reachable from the production CLI, scripts executed through this path operate outside the standard command authorization model. Lua execution in this context can read sensitive configuration, alter device state, and influence the integrity of the security appliance.

Root Cause

The weakness is classified under [CWE-1244]: an internal asset is exposed to an unsafe debug access level. The Lua scripting capability used for vendor diagnostics was not gated from the standard administrative CLI in the affected releases. The condition is present across multiple FortiOS and FortiProxy branches, indicating a long-lived debug surface that was not removed before release.

Attack Vector

Exploitation requires authenticated access with administrator privileges on the device. The attacker uses local CLI access, either through SSH, console, or the web-based CLI console. Crafted commands invoke the Lua execution path, allowing the attacker to run arbitrary script logic on the appliance. The attack does not require user interaction and operates within a single security scope on the device.

No verified proof-of-concept code is published. The Fortinet advisory FG-IR-26-143 is the authoritative technical reference. See the Fortinet Security Advisory FG-IR-26-143 for vendor details.

Detection Methods for CVE-2025-67862

Indicators of Compromise

  • Administrator CLI sessions issuing unusual or undocumented diagnostic commands that reference Lua or debug subsystems
  • Unexpected configuration changes following an admin session on FortiOS or FortiProxy devices
  • Outbound connections from the appliance management plane that do not match approved update or telemetry destinations

Detection Strategies

  • Forward FortiOS and FortiProxy event and audit logs to a central log platform and alert on rare CLI command strings used by admin accounts
  • Baseline normal administrator command patterns and flag deviations such as uncommon diagnostic verbs or syntax
  • Correlate admin authentication events with subsequent configuration or system-state changes to identify abuse of privileged sessions

Monitoring Recommendations

  • Enable CLI command auditing on all FortiOS and FortiProxy devices and ship logs off-box in near real time
  • Monitor admin account usage patterns, including source IPs, session times, and command frequency
  • Track firmware versions across the fleet and alert on devices running versions listed in FG-IR-26-143

How to Mitigate CVE-2025-67862

Immediate Actions Required

  • Inventory all FortiOS and FortiProxy devices and identify systems running affected versions
  • Apply the fixed firmware releases identified in FG-IR-26-143 according to the vendor upgrade path
  • Restrict administrative CLI access to a small set of trusted management hosts and require multi-factor authentication for admin accounts
  • Review admin account inventory and remove unused or shared administrator credentials

Patch Information

Fortinet has published security advisory FG-IR-26-143 with fixed version information for FortiOS and FortiProxy. Administrators should consult the Fortinet Security Advisory FG-IR-26-143 for the specific upgrade targets that resolve CVE-2025-67862.

Workarounds

  • Limit management plane exposure by binding administrative services to dedicated management interfaces only
  • Enforce trusthost restrictions on administrator profiles so that admin logins are accepted only from specific source addresses
  • Rotate administrator credentials and audit all privileged accounts for signs of misuse prior to patching
bash
# Example: restrict admin access by source on FortiOS
config system admin
  edit "admin"
    set trusthost1 10.0.0.0 255.255.255.0
    set accprofile "super_admin"
  next
end

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.