Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Important to critical vulnerabilities in various Fortinet products can be exploited to lead to remote code execution. Patch Immediately!
Image
Published : 13/08/2025
* Last update: 13/08/2025
* Affected products:
→FortiSIEM
→FortiOS
→FortiPAM
→FortiProxy
→FortiSwitchManager
→FortiADC
→FortiWeb* Type: Remote Code Execution, Privilege Escalation
* CVE/CVSS:
- CVE-2025-25256: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- CVE-2024-26009: CVSS 7.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
- CVE- 2025-49813: CVSS 6.6 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
- CVE-2025-52970: CVSS 7.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
- CVE-2025-53744: CVSS 6.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Sources
Fortinet:
- https://fortiguard.fortinet.com/psirt/FG-IR-25-152
- https://fortiguard.fortinet.com/psirt/FG-IR-24-042
- https://fortiguard.fortinet.com/psirt/FG-IR-25-501
- https://fortiguard.fortinet.com/psirt/FG-IR-25-448
- https://fortiguard.fortinet.com/psirt/FG-IR-25-173
Risks
On 12 August 2025, Fortinet released 5 security advisories addressing vulnerabilities in various Fortinet products. Their impact ranges from privilege escalation to remote code execution.
Fortinet devices are commonly found on the external periphery of enterprise networks and are therefore valuable targets for attackers. Fortinet products are regularly targeted, including in mass campaigns. Fortinet has already observed exploitation attempts for one of the vulnerabilities (CVE-2025-25256). Practical exploit code was found in the wild (cut-off date: 13 August 2025).
Exploitation of the vulnerabilities listed below can have a high impact on confidentiality, integrity and availability.
Description
CVE-2025-25256 is an unauthenticated command injection vulnerability affecting numerous versions of FortiSIEM. An unauthenticated, remote attacker could exploit it to execute unauthorized code or commands via crafted CLI requests.
Fortinet warns that practical exploit code for this vulnerability was already found in the wild (cut-off date: 13 August 2025). The vendor indicates that the exploitation code they observed did not appear to produce distinctive indicators of compromise. They also gave a workaround, which consists in limiting access to the phMonitor port 7900.
CVE-2024-26009 is an authentication bypass using an alternate path or channel vulnerability affecting multiple versions of FortiOS, FortiProxy and FortiPAM. Successful exploitation of this vulnerability allows an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager's serial number.
CVE-2025-49813 is an OS command injection vulnerability in different versions of FortiADC. A remote and authenticated attacker with low privilege could execute unauthorized code on the system via specifically crafted HTTP parameters.
CVE-2025-52970 is an improper handling of parameters vulnerability in various versions of FortiWeb. Successful exploitation may allow an unauthenticated remote attacker in possession of non-public information (pertaining to both the device and to the targeted user) to log in as any existing user on the device via a specially crafted request.
CVE-2025-53744 is an incorrect privilege assignment vulnerability affecting multiple versions of FortiOS. There is a flaw in FortiOS Security Fabric that a remote authenticated attacker with high privileges could exploit in order to escalate their privileges to super-admin via registering the device to a malicious FortiManager.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
When mitigation measures or workarounds are available, consider implementing these as soon as possible and wherever feasible until you have completed patching.
Where vulnerabilities affect end of life devices, the Centre for Cybersecurity Belgium strongly encourages moving to a supported version.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.