CVE-2025-31104: An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiADC 7.6.0 through...
Description
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiADC 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2.0 through 7.2.7, 7.1.0 through 7.1.4, 7.0 all versions, 6.2 all versions, 6.1 all versions may allow an authenticated attacker to execute unauthorized code via crafted HTTP requests.
Classification
CVE ID: CVE-2025-31104
CVSS Base Severity: HIGH
CVSS Base Score: 7.0
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F/RL:X/RC:C
Problem Types
Execute unauthorized code or commandsAffected Products
Vendor: Fortinet
Product: FortiADC
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.22% (probability of being exploited)
EPSS Percentile: 45.22% (scored less or equal to compared to others)
EPSS Date: 2025-06-17 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: none
SSVC Technical Impact: total
SSVC Automatable: false
References
https://nvd.nist.gov/vuln/detail/CVE-2025-31104https://fortiguard.fortinet.com/psirt/FG-IR-25-099