CVE-2025-61624
FortiOS Schwachstellenanalyse und -minderung

Überblick

CVE-2025-61624 is a path traversal vulnerability (CWE-22) in the command line interpreter of Fortinet FortiOS, FortiPAM, FortiProxy, and FortiSwitchManager that allows a privileged authenticated attacker to write or delete arbitrary files via specially crafted arguments to existing CLI commands. It was initially published on April 14, 2026, under Fortinet advisory FG-IR-26-122. Affected versions include FortiOS 6.4 through 7.6.4, FortiPAM 1.0 through 1.7.0, FortiProxy 7.0 through 7.6.4, and FortiSwitchManager 7.0.0 through 7.2.7. The vulnerability carries a CVSSv3 score of 5.4 (Medium) per Fortinet's advisory, though NVD rates it 6.5 (Medium/High) (Fortinet Advisory).

Technische Details

The root cause is improper limitation of a pathname to a restricted directory (CWE-22) within the CLI interpreter of affected Fortinet products. An authenticated attacker with an admin profile and at least read-write permissions can supply path traversal sequences (e.g., ../) as arguments to existing CLI commands, causing the interpreter to resolve file paths outside the intended restricted directory and perform arbitrary write or delete operations. Exploitation requires network access to the management interface and valid high-privilege credentials, making it an authenticated, network-delivered attack with low complexity. A virtual patch named "FG-VD-59270.0day" is available in FMWP database update 25.120 as a temporary mitigation (Fortinet Advisory).

Aufprall

Successful exploitation allows an authenticated administrator-level attacker to write or delete arbitrary files on the affected system, resulting in high integrity and availability impacts with no confidentiality impact. File deletion could cause denial of service or system instability, while arbitrary file writes could be leveraged to plant malicious configurations, scripts, or backdoors. The scope is limited to the affected device itself, but compromise of network security appliances like FortiOS or FortiProxy could have significant downstream consequences for the environments they protect (Fortinet Advisory, CIS Advisory).

Ausnutzungsschritte

  1. Reconnaissance: Identify target Fortinet devices (FortiOS, FortiPAM, FortiProxy, FortiSwitchManager) running vulnerable versions using network scanning or Shodan, focusing on management interfaces exposed to the network.
  2. Credential Acquisition: Obtain valid administrator credentials with read-write permissions through phishing, credential stuffing, or reuse of compromised credentials — exploitation requires an authenticated admin-level session.
  3. CLI Access: Log in to the device CLI via SSH or the web-based terminal using the compromised credentials.
  4. Path Traversal Payload: Craft arguments to existing CLI commands that include path traversal sequences (e.g., ../../) to reference file paths outside the intended restricted directory.
  5. Arbitrary File Write/Delete: Execute the crafted CLI command to write a malicious file (e.g., a backdoor script or modified configuration) or delete critical system files to cause denial of service or system instability (Fortinet Advisory).

Indikatoren für Kompromittierung

  • Logs: CLI audit logs showing commands with unusual path arguments containing ../ or encoded traversal sequences; unexpected file operation events in system logs targeting directories outside normal CLI scope.
  • File System: Presence of unexpected files in system directories not normally writable via CLI; missing or modified critical configuration or system files; new scripts or binaries in unusual locations.
  • Network: Unusual SSH sessions from unexpected source IPs to management interfaces; repeated failed or successful admin logins preceding suspicious CLI activity.
  • Process: Unexpected file write or delete operations initiated by the CLI interpreter process on the Fortinet device.

Risikominderung und Problemumgehungen

Fortinet has released patches addressing this vulnerability; organizations should upgrade to the following fixed versions: FortiOS 7.4.10+ or 7.6.5+; FortiPAM 1.7.1+; FortiProxy 7.4.12+ or 7.6.5+; FortiSwitchManager 7.0.7+ or 7.2.8+. FortiOS 7.0, 7.2, and 6.4 (all versions) and FortiPAM versions prior to 1.7 have no direct fix and must migrate to a supported fixed release. As an interim measure, a virtual patch "FG-VD-59270.0day" is available in FMWP database update 25.120. Additionally, restrict CLI access to trusted administrators only, enforce strong authentication, and monitor for suspicious CLI file operations (Fortinet Advisory).

Reaktionen der Community

The CIS (Center for Internet Security) issued an advisory noting that multiple vulnerabilities in Fortinet products, including CVE-2025-61624, could allow for arbitrary code execution, recommending immediate patching (CIS Advisory). Greenbone published a blog post covering critical Fortinet RCE vulnerabilities in 2026, including this issue in the context of broader Fortinet security concerns (Greenbone Blog). Security news outlets including CyberSecurityNews and CyberPress covered the broader Fortinet patch release addressing 11 vulnerabilities across multiple products. CISA included the vulnerability in its weekly bulletin for the week of April 13, 2026.

Zusätzliche Ressourcen


QuelleDieser Bericht wurde mithilfe von KI erstellt

Verwandt FortiOS Schwachstellen:

CVE-Kennung

Strenge

Punktzahl

Technologieen

Name der Komponente

CISA KEV-Exploit

Hat fix

Veröffentlichungsdatum

CVE-2025-53844HIGH8.8
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
NeinJaMay 12, 2026
CVE-2025-53847HIGH8.8
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
NeinJaApr 14, 2026
CVE-2026-22153HIGH8.1
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
NeinJaFeb 10, 2026
CVE-2025-67862MEDIUM6.7
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
NeinJaJun 09, 2026
CVE-2025-61624MEDIUM6.5
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
NeinJaApr 14, 2026

Kostenlose Schwachstellenbewertung

Benchmarking Ihrer Cloud-Sicherheitslage

Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.

Bewertung anfordern

Eine personalisierte Demo anfordern

Sind Sie bereit, Wiz in Aktion zu sehen?

"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
David EstlickCISO
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
Adam FletcherSicherheitsbeauftragter
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"
Greg PoniatowskiLeiter Bedrohungs- und Schwachstellenmanagement