CVE-2025-64153 in FortiExtender
Summary
by MITRE • 12/09/2025
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiExtender 7.6.0 through 7.6.3, FortiExtender 7.4.0 through 7.4.7, FortiExtender 7.2 all versions, FortiExtender 7.0 all versions may allow an authenticated attacker to execute unauthorized code or commands via a specific HTTP request.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/10/2025
The vulnerability identified as CVE-2025-64153 represents a critical os command injection flaw affecting multiple versions of Fortinet FortiExtender devices. This security weakness stems from inadequate input validation and sanitization within the device's web interface handling of specific HTTP requests. The vulnerability manifests when authenticated attackers exploit improper neutralization of special elements used in operating system commands, creating a pathway for arbitrary code execution on the affected devices.
This command injection vulnerability operates through the device's web administration interface where user-supplied input is directly incorporated into system commands without proper sanitization. The flaw allows attackers who have gained authentication credentials to manipulate HTTP requests in ways that trigger command execution on the underlying operating system. The affected versions span across FortiExtender 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, all versions of 7.2, and all versions of 7.0, indicating a widespread impact across the product line. The vulnerability is classified under CWE-77 as improper neutralization of special elements used in a command, which is a well-established weakness pattern in software security.
The operational impact of this vulnerability is severe and multifaceted. An authenticated attacker can execute arbitrary commands on the device with the privileges of the web server process, potentially leading to complete system compromise. This could enable attackers to install backdoors, modify device configurations, access sensitive network information, or use the compromised device as a pivot point for further attacks within the network. The vulnerability particularly affects network infrastructure devices that are often deployed in sensitive locations, making the potential attack surface significant for organizations relying on FortiExtender solutions. The attack requires only authentication credentials, which may be obtained through various means including credential stuffing, phishing, or other initial compromise techniques.
Mitigation strategies for CVE-2025-64153 should prioritize immediate patching of affected devices to the latest firmware versions that address the command injection vulnerability. Organizations should implement network segmentation to limit access to FortiExtender devices and restrict administrative access to only trusted personnel. Additionally, monitoring network traffic for suspicious command execution patterns and implementing web application firewalls can help detect and prevent exploitation attempts. The vulnerability aligns with several ATT&CK techniques including T1059.001 for command and scripting interpreter and T1078.004 for valid accounts, emphasizing the need for robust access controls and credential management. Regular security assessments and vulnerability scanning should be conducted to identify any remaining instances of the vulnerable software in the network infrastructure.