CVE-2025-67862
FortiOS 脆弱性の分析と軽減

概要

CVE-2025-67862 is a "Restricted CLI Escape Using Lua" vulnerability (CWE-1244: Internal Asset Exposed to Unsafe Debug Access Level or State) in Fortinet FortiOS and FortiProxy. It allows an authenticated administrator to execute arbitrary Lua scripts via crafted CLI commands, effectively escaping the restricted CLI environment. Affected versions include FortiOS 6.4 (all versions), 7.0.0–7.0.16, 7.2.0–7.2.10, 7.4.0–7.4.7, and 7.6.0–7.6.2; and FortiProxy 7.0 (all versions), 7.2.0–7.2.14, 7.4.0–7.4.10, and 7.6.0–7.6.3. The vulnerability was publicly disclosed on June 9, 2026, and was reported by the UK's National Cyber Security Centre (NCSC) under responsible disclosure. It carries a CVSSv3 base score of 6.0–6.7 (Medium/High), requiring local access and high privileges (FortiGuard Advisory).

技術的な詳細

The root cause is classified as CWE-1244 (Internal Asset Exposed to Unsafe Debug Access Level or State), where debug-level Lua scripting capabilities remain accessible through the CLI in production firmware. An authenticated administrator can craft specific CLI commands that invoke the embedded Lua interpreter, bypassing the intended restrictions of the FortiOS/FortiProxy restricted shell environment. Exploitation requires local access and administrative credentials (high privilege), with no user interaction needed and low attack complexity. No public proof-of-concept code has been identified (FortiGuard Advisory).

影響

Successful exploitation allows an authenticated admin to execute arbitrary Lua scripts on the affected system, resulting in high impact to confidentiality, integrity, and availability. An attacker with admin CLI access could read sensitive configuration files and credentials, modify system settings, corrupt data, or crash services. While the attack vector is local and requires existing administrative access, this vulnerability could be leveraged as part of a post-compromise escalation or persistence technique on network security appliances (FortiGuard Advisory).

エクスプロイテーションのステップ

  1. Gain Administrative Access: Obtain valid administrator credentials for a FortiOS or FortiProxy device running a vulnerable version, either through credential theft, phishing, or reuse of compromised accounts.
  2. Access the CLI: Connect to the device CLI via SSH or the management console using the compromised admin account.
  3. Craft Malicious CLI Command: Construct a specially crafted CLI command that invokes the embedded Lua interpreter through the debug access path exposed in the restricted shell.
  4. Execute Lua Script: The crafted command causes the system to execute arbitrary Lua code, bypassing the intended CLI restrictions and operating with the privileges of the FortiOS process.
  5. Achieve Objective: Use the Lua execution capability to read sensitive files (e.g., configuration, credentials), modify system state, or disrupt services (FortiGuard Advisory).

妥協の兆候

  • Logs: Unusual or unexpected CLI command sequences in FortiOS/FortiProxy audit logs, particularly commands referencing Lua or debug-level functions; admin login events from unexpected source IPs or at unusual times.
  • Process/Behavior: Unexpected Lua interpreter invocations or script execution events within the FortiOS process space; anomalous file read/write operations initiated from the CLI session.
  • Network: Outbound connections from the management interface to unknown external hosts following an admin CLI session, which may indicate data exfiltration post-exploitation.

軽減策と回避策

Fortinet has released patched versions addressing this vulnerability: FortiOS 7.6.3 or above, FortiOS 7.4.8 or above, FortiOS 7.2.11 or above, FortiProxy 7.6.4 or above, FortiProxy 7.4.11 or above, and FortiProxy 7.2.15 or above. Note that FortiOS 7.0 and 6.4 branches and FortiProxy 7.0 are listed as affected with no patch version specified in the advisory, so upgrading to a supported branch is recommended. As interim mitigations, restrict CLI access to trusted administrators only, enforce strict access controls on management interfaces, and monitor for suspicious CLI command patterns. Use the Fortinet upgrade path tool at https://docs.fortinet.com/upgrade-tool to plan upgrades (FortiGuard Advisory).

コミュニティの反応

The vulnerability was reported to Fortinet by the UK's National Cyber Security Centre (NCSC) under responsible disclosure, indicating coordinated handling prior to public release (FortiGuard Advisory). Heise (a German technology publication) covered the disclosure as part of a broader roundup of Fortinet security fixes released in June 2026 (Heise News). Community reaction has been relatively muted given the requirement for authenticated admin access, with no significant social media controversy or researcher commentary identified beyond standard vulnerability tracking.

関連情報


ソースこのレポートは AI を使用して生成されました

関連 FortiOS 脆弱 性:

CVE 識別子

重大度

スコア

テクノロジー

コンポーネント名

CISA KEV エクスプロイト

修正あり

公開日

CVE-2025-53844HIGH8.8
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
いいえはいMay 12, 2026
CVE-2025-53847HIGH8.8
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
いいえはいApr 14, 2026
CVE-2026-22153HIGH8.1
  • FortiOS logoFortiOS
  • cpe:2.3:o:fortinet:fortios
いいえはいFeb 10, 2026
CVE-2025-67862MEDIUM6.7
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
いいえはいJun 09, 2026
CVE-2025-61624MEDIUM6.5
  • FortiOS logoFortiOS
  • cpe:2.3:a:fortinet:fortiproxy
いいえはいApr 14, 2026

無料の脆弱性評価

クラウドセキュリティポスチャーのベンチマーク

9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。

評価を依頼する

パーソナライズされたデモを見る

実際に Wiz を見てみませんか?​

"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
デビッド・エストリックCISO (最高情報責任者)
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
アダム・フレッチャーチーフ・セキュリティ・オフィサー
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"
グレッグ・ポニャトフスキ脅威および脆弱性管理責任者