CVE-2025-47856
📋 TL;DR
Two OS command injection vulnerabilities in Fortinet FortiVoice allow privileged attackers to execute arbitrary commands via crafted HTTP/HTTPS or CLI requests. This affects FortiVoice versions 7.2.0, 7.0.0 through 7.0.6, and versions before 6.4.10. Attackers with administrative access can gain full system control.
💻 Affected Systems
- Fortinet FortiVoice
📦 What is this software?
Fortivoice by Fortinet
Fortivoice by Fortinet
Fortivoice by Fortinet
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining root access, installing persistent backdoors, pivoting to other network systems, and exfiltrating sensitive data.
Likely Case
Privileged attacker executes commands to create administrative accounts, disable security controls, or deploy ransomware/cryptominers.
If Mitigated
Attack limited to command execution within application context if proper network segmentation and least privilege are enforced.
🎯 Exploit Status
Exploitation requires administrative credentials but is straightforward once authenticated. No public exploit code available at disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.2.1, 7.0.7, 6.4.10
Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-250
Restart Required: Yes
Instructions:
1. Backup configuration. 2. Download appropriate firmware from Fortinet support portal. 3. Upload firmware via web interface or CLI. 4. Reboot appliance. 5. Verify version after reboot.
🔧 Temporary Workarounds
Restrict administrative access
allLimit administrative access to trusted IP addresses only using firewall rules.
config system interface
edit <interface>
set allowaccess https ssh
set trust-ip-1 <trusted_ip>
end
Enable multi-factor authentication
allRequire MFA for all administrative accounts to reduce credential compromise risk.
config user local
edit <admin_user>
set two-factor enable
set two-factor email/fortitoken
end
🧯 If You Can't Patch
- Isolate FortiVoice appliance in separate VLAN with strict firewall rules allowing only necessary traffic.
- Implement network segmentation and monitor for unusual administrative activity or command execution patterns.
🔍 How to Verify
Check if Vulnerable:
Check FortiVoice firmware version via web interface (System > Dashboard) or CLI command: get system statusCheck Version:
get system status | grep VersionVerify Fix Applied:
Confirm version is 7.2.1, 7.0.7, or 6.4.10+ using: get system status📡 Detection & Monitoring
Log Indicators:
- Unusual administrative login patterns
- CLI commands containing special characters or shell metacharacters
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- Unusual outbound connections from FortiVoice appliance
- HTTP/HTTPS requests with command injection patterns to administrative endpoints
SIEM Query:
source="fortivoice" AND (event_type="admin_login" OR cmd="*;*" OR cmd="*|*" OR cmd="*`*" OR cmd="*$(*")