PT-2025-50127 · Fortinet · Fortiextender

Published

2025-12-09

Updated

2025-12-10

CVE-2025-64153

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Fortinet FortiExtender versions 7.0 through 7.2 Fortinet FortiExtender versions 7.4.0 through 7.4.7 Fortinet FortiExtender versions 7.6.0 through 7.6.3

Description An improper neutralization of special elements used in an OS command (OS command injection) exists in Fortinet FortiExtender. This may allow an authenticated attacker to execute unauthorized code or commands via a specific HTTP request. The issue involves the use of OS commands without proper sanitization of input, potentially leading to arbitrary code execution.

Recommendations Update FortiExtender versions prior to 7.0. Update FortiExtender versions prior to 7.4.8. Update FortiExtender versions prior to 7.6.4.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

BDU:2026-00832

CVE-2025-64153

Affected Products

Fortiextender

PT-2025-50127 · Fortinet · Fortiextender

CVE-2025-64153

Weakness Enumeration

Related Identifiers

Affected Products

References · 5