CVE-2025-58324 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2025-58324?

CVE-2025-58324 has a CVSS score of 6.4 (MEDIUM). This vulnerability allows authenticated attackers to inject malicious scripts into FortiSIEM web pages, which execute when other users view those pages. It affects all versions of FortiSIEM from 6.2 through 7.2.2, potentially compromising user sessions and data.

📋 TL;DR

This vulnerability allows authenticated attackers to inject malicious scripts into FortiSIEM web pages, which execute when other users view those pages. It affects all versions of FortiSIEM from 6.2 through 7.2.2, potentially compromising user sessions and data.

💻 Affected Systems

Products:

FortiSIEM

Versions: 6.2 through 7.2.2 (all versions in these ranges)

Operating Systems: FortiSIEM appliance OS

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with affected versions are vulnerable; requires authenticated user access.

📦 What is this software?

Fortisiem by Fortinet

View all CVEs affecting Fortisiem →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker steals administrator credentials, takes full control of FortiSIEM, accesses sensitive security data, and pivots to other systems.

🟠

Likely Case

Attacker hijacks user sessions, steals authentication tokens, performs actions as authenticated users, and exfiltrates sensitive information.

🟢

If Mitigated

Script execution blocked by browser security controls, limited to same-origin actions with minimal impact.

🌐 Internet-Facing: HIGH if FortiSIEM is exposed to internet, as any authenticated user could exploit it.

🏢 Internal Only: MEDIUM as it requires authenticated access, but insider threats or compromised accounts could exploit it.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access and knowledge of vulnerable endpoints; stored XSS means payload persists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.2.3 or later (check vendor advisory for specific version)

Vendor Advisory: https://fortiguard.fortinet.com/psirt/FG-IR-24-280

Restart Required: No

Instructions:

1. Review vendor advisory for specific patching instructions. 2. Upgrade to FortiSIEM version 7.2.3 or later. 3. Apply patch through FortiSIEM management interface. 4. Verify patch installation and test functionality.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation and output encoding for user-supplied data in web interfaces.

Content Security Policy

all

Deploy strict Content Security Policy headers to restrict script execution sources.

🧯 If You Can't Patch

Restrict FortiSIEM access to trusted networks only using firewall rules.
Implement web application firewall (WAF) with XSS protection rules.

🔍 How to Verify

Check if Vulnerable:

Check FortiSIEM version via admin interface; if version is between 6.2 and 7.2.2 inclusive, system is vulnerable.

Check Version:

Login to FortiSIEM web interface and navigate to System > Status to view version.

Verify Fix Applied:

Verify version is 7.2.3 or later; test XSS payload injection attempts to confirm they are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests with script tags or JavaScript code in parameters
Multiple failed XSS attempts from same source

Network Indicators:

HTTP requests containing <script> tags or JavaScript in URL parameters or POST data

SIEM Query:

source="fortisiem" AND (http_request CONTAINS "<script>" OR http_request CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-58324

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-79

EPSS Score: 0.07% exploit probability (22.2th percentile)

Published: October 14, 2025

Last Updated: October 14, 2025

🔗 References

https://fortiguard.fortinet.com/psirt/FG-IR-24-280 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-58324, you might also want to check these: