Fortinet has disclosed a high-severity vulnerability in FortiOS, identified as CVE-2025-58325, which has a CVSS score of 7.8. This flaw could allow local authenticated attackers to execute arbitrary system commands. The vulnerability stems from improper input validation in the FortiOS CLI, which enables command injection through specially crafted inputs. Review the details of this Cybersecurity Threat Advisory to secure your systems.
What is the threat?
CVE-2025-58325 is a command injection vulnerability in the FortiOS CLI that allows a local authenticated user to bypass command restrictions and execute arbitrary system-level commands on Fortinet devices. The flaw exists because certain CLI functions do not properly sanitize user input before passing it to the operating system shell.
An attacker with local authenticated access (via physical access, SSH, or the web-based management interface) can craft malicious input using shell metacharacters (e.g., ;, &&, |) to inject additional commands. These commands are executed with the privileges of the FortiOS process, often root, giving the attacker full control over the device.
This level of control enables actions such as disabling firewall rules, altering VPN settings, creating unauthorized admin accounts, installing persistence mechanisms, and exfiltrating sensitive files. While the vulnerability is not remotely exploitable on its own, it can be combined with other flaws or credential theft to achieve full device compromise.
Why is it noteworthy?
This vulnerability is significant because it affects FortiOS, the core operating system of Fortinet’s widely used firewalls and security appliances. Although exploitation requires local authenticated access, attackers can frequently obtain it through credential theft, phishing, or by chaining vulnerabilities. Once inside, CVE-2025-58325 allows attackers to escalate privileges and gain deep control over critical security infrastructure.
What is the exposure or risk?
If exploited, CVE-2025-58325 allows attackers to bypass CLI restrictions and execute arbitrary commands, resulting in full administrative control of the device. This could result in disabling firewall rules, altering VPN configurations, creating unauthorized accounts, or installing backdoors. In a compromised environment, this level of control could facilitate lateral movement, data exfiltration, and long-term persistence within the network.
What are the recommendations?
Barracuda strongly recommends organizations take these additional steps to secure their machines:
- Apply Fortinet’s security updates immediately for all affected FortiOS versions as outlined in the vendor advisory.
- Restrict local access to Fortinet devices to trusted administrators only.
- Enable multifactor authentication (MFA) for all administrative accounts to reduce the risk of credential compromise.
- Monitor device logs for unusual CLI activity or unauthorized configuration changes.
- Conduct a security review of Fortinet appliances to ensure no unauthorized accounts or configurations exist.
- Segment management interfaces from general network access to limit exposure in case of compromise.
Reference
For more in-depth information about the threat, please visit the following link:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.