MEDIUM 6.7

CVE-2025-67862: Fortinet FortiOS & FortiProxy Admin Lua Script Execution Vulnerability

Fortinet FortiOS and FortiProxy contain a debug access vulnerability that allows authenticated administrators to execute arbitrary Lua scripts through specially crafted command-line commands. While admin-level credentials are required to exploit this issue, successful exploitation could enable code execution and system compromise. The vulnerability affects multiple versions across both product lines and has been assigned a CVSS score of 6.7 (Medium severity).

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.7 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-1244
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-07-14

NVD description (verbatim)

An Internal Asset Exposed to Unsafe Debug Access Level or State vulnerability [CWE-1244] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.2, FortiOS 7.4.0 through 7.4.7, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0 all versions may allow an authenticated admin to execute lua scripts via crafted CLI commands.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability stems from insufficient protection of internal debug functionality, classified as CWE-1244 (Internal Asset Exposed to Unsafe Debug Access Level or State). The flaw allows an authenticated admin user to bypass normal execution restrictions and invoke Lua script execution via the CLI interface. The local attack vector combined with high-privilege prerequisite means exploitation requires existing admin access, but the impact—confidentiality, integrity, and availability compromise—remains significant. The vulnerability persists across multiple major versions of both FortiOS and FortiProxy, indicating a systemic issue in how debug interfaces are gated.

Business impact

Organizations relying on FortiOS or FortiProxy for network security face insider threat exposure and potential lateral movement risk. A malicious or compromised admin account could execute scripts to modify firewall rules, exfiltrate traffic logs, disable security functions, or pivot to other network assets. For environments where admin accounts are shared or insufficiently segregated, the blast radius increases. This vulnerability does not require network exposure, reducing external threat surface but heightening concern for supply-chain attacks and insider scenarios.

Affected systems

Affected versions include FortiOS 6.4 (all versions), 7.0.0–7.0.16, 7.2.0–7.2.10, 7.4.0–7.4.7, and 7.6.0–7.6.2. FortiProxy is impacted in versions 7.0 (all), 7.2.0–7.2.14, 7.4.0–7.4.10, and 7.6.0–7.6.3. Organizations running any of these versions should prioritize inventory and assessment. Versions released after the indicated upper bounds are presumed patched; verify against Fortinet's official advisories.

Exploitability

Exploitation requires authenticated admin credentials and direct CLI access—a significant barrier that excludes remote, unauthenticated attack scenarios. However, in environments with weak access controls, shared admin accounts, or compromised admin credentials, the risk escalates rapidly. The simplicity of the attack surface (CLI commands) means no complex exploitation techniques or special tools are necessary once access is obtained. The lack of CISA KEV listing suggests limited evidence of active, in-the-wild exploitation to date, but this does not diminish the risk for targeted insider threats.

Remediation

Organizations must apply vendor-supplied patches immediately upon availability. Until patches are deployed, restrict CLI access to FortiOS and FortiProxy systems to highly trusted personnel, enforce multi-factor authentication for admin accounts, and implement privileged access management (PAM) solutions to audit and control administrative activity. Consider network segmentation to limit lateral movement if an admin account is compromised. Review audit logs for suspicious Lua script execution or unexpected CLI commands.

Patch guidance

Monitor Fortinet's security advisories for patch releases addressing this vulnerability. Patches will be released for affected version branches; apply updates in the following order: oldest affected versions first, followed by more recent releases. Test patches in a non-production environment before deployment to ensure compatibility. For FortiOS and FortiProxy, coordinate patching with your maintenance windows to minimize firewall disruption. Verify successful remediation by confirming the patched version number after upgrade.

Detection guidance

Monitor CLI audit logs for attempts to invoke Lua script execution through suspicious or unusual commands. Look for admin accounts executing commands outside normal operational patterns. Network-based detection is limited due to the local attack vector; focus on endpoint logging and CLI history retention. FortiOS and FortiProxy logs should be forwarded to a centralized SIEM for correlation and alerting on privilege escalation or debug-related activity. Implement behavioral baselines for admin activity to flag anomalies.

Why prioritize this

Although the CVSS score is Medium (6.7) and exploitation requires admin credentials, the integrity and availability impact coupled with the broad version range affected warrants prioritized patching. Insider threat scenarios and credential compromise represent realistic attack paths in many organizations. The lack of current public exploitation does not justify deferral; proactive patching reduces exposure window and closes a privilege-escalation pathway before threat actors develop interest.

Risk score, explained

The CVSS 6.7 (Medium) score reflects the high-impact consequences (confidentiality, integrity, availability all affected) tempered by the requirement for local access and high privilege (authenticated admin). The CVSS vector CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H correctly captures these factors. However, context-dependent factors—such as the sensitivity of traffic passing through the firewall, the degree of admin account compartmentalization, and threat actor interest in insider scenarios—may elevate practical risk beyond the numeric score in specific environments.

Frequently asked questions

What is CWE-1244 and why does it matter here?

CWE-1244 describes scenarios where internal debugging or testing capabilities are left accessible without proper restrictions. In this case, Lua script execution—likely intended for authorized vendor troubleshooting—is exposed via CLI commands to authenticated admins. This blurs the line between normal functionality and debug access, creating an unintended privilege escalation vector.

Do I need to patch if I restrict CLI admin access tightly?

Restrictions are a useful control layer, but they are not a substitute for patches. A determined insider, a compromised account, or a supply-chain compromise could still leverage this vulnerability. Patches remove the underlying flaw and are the definitive remediation.

Is this vulnerability being actively exploited in the wild?

No. The vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of the last update. However, absence of public evidence does not mean it is safe to defer; threat actors may exploit it privately. Timely patching is the best defense.

Can this be exploited remotely over the network?

No. The attack vector is local (AV:L), meaning an attacker must already have command-line access to the system. Remote code execution is not possible via this vulnerability alone, but it can be leveraged by someone with existing admin access or by someone who has compromised an admin account.

This analysis is provided for informational purposes. Patch version numbers and product availability must be verified against official Fortinet security advisories and release notes. Organizations should conduct their own risk assessment based on their specific deployment, network architecture, and threat landscape. SEC.co provides no warranty regarding the completeness or accuracy of external vendor information. Always consult Fortinet's official guidance before deploying patches or changes to production systems. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).