CVE-2025-32932
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in FortiSOAR's web interface allows authenticated attackers to inject malicious scripts into service requests. When other users view these requests, the scripts execute in their browsers, potentially compromising their sessions or performing unauthorized actions. All FortiSOAR versions up to 7.6.1 and 7.5.1, plus all versions of 7.4, 7.3, 7.2, 7.0, and 6.4 are affected.
💻 Affected Systems
- FortiSOAR
📦 What is this software?
Fortisoar by Fortinet
Fortisoar by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator credentials, hijack sessions, perform actions as other users, or deploy additional malware within the FortiSOAR environment.
Likely Case
Attackers with authenticated access could steal session cookies, perform unauthorized actions, or redirect users to malicious sites.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before execution, preventing exploitation.
🎯 Exploit Status
Requires authenticated access and ability to create/modify service requests. Stored XSS means payload persists until cleaned.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FortiSOAR 7.6.2, 7.5.2, and later versions
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-513
Restart Required: No
Instructions:
1. Backup your FortiSOAR configuration. 2. Upgrade to FortiSOAR 7.6.2, 7.5.2, or later versions. 3. Verify the upgrade completed successfully. 4. Test service request functionality.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation for service request fields to reject or sanitize script tags and JavaScript code.
Content Security Policy
allImplement strict Content Security Policy headers to restrict script execution sources.
🧯 If You Can't Patch
- Restrict user permissions to minimize who can create/modify service requests
- Implement web application firewall rules to detect and block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check FortiSOAR version via admin interface or CLI. If version is 7.6.1 or below, 7.5.1 or below, or any 7.4/7.3/7.2/7.0/6.4 version, you are vulnerable.Check Version:
Check via FortiSOAR web UI under System Information or use CLI command specific to your deploymentVerify Fix Applied:
After patching, verify version is 7.6.2+, 7.5.2+, or later. Test service request creation with script-like input to ensure proper sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual service request creation/modification patterns
- JavaScript or script tags in service request fields
- Multiple failed login attempts followed by service request activity
Network Indicators:
- Unexpected outbound connections from FortiSOAR server after viewing service requests
- Suspicious JavaScript payloads in HTTP requests
SIEM Query:
source="fortisoar" AND (event_type="service_request" AND (message="*<script>*" OR message="*javascript:*"))