CVE-2025-64153

Summary

A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.6.0 through 7.6.3, FortiExtender 7.4.0 through 7.4.7, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated attacker to execute unauthorized code or commands via a specific HTTP request.

Affected Software

VendorProductVersion RangeStatus
FortinetFortiExtender7.6.0 <= 7.6.3affected
FortinetFortiExtender7.4.0 <= 7.4.7affected
FortinetFortiExtender7.2.0 <= 7.2.5affected
FortinetFortiExtender7.0.0 <= 7.0.5affected

Weaknesses

  • CWE-78: Execute unauthorized code or commands

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References