Restricted CLI escape using Lua

MonitorCVSS 6FG-IR-26-143Jun 9, 2026

Fortinet

IT in OT - Fortinet products are commonly deployed at IT/OT network boundaries

Attack path

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in FortiOS and FortiProxy allows an authenticated administrator or operator with CLI access to escape restrictions and execute arbitrary Lua scripts. This could allow a privileged user to bypass command restrictions and execute unauthorized code with the privileges of the FortiOS/FortiProxy process.

What this means

What could happen

An admin-level user with CLI access could run unauthorized Lua scripts on your Fortinet firewall or proxy, potentially allowing them to modify firewall rules, intercept traffic, or alter network security policies without audit trail detection.

Who's at risk

Organizations running Fortinet FortiOS or FortiProxy as edge firewalls or security gateways should review their admin access controls. This affects IT teams responsible for firewall configuration, particularly those with distributed admin access or third-party management systems.

How it could be exploited

An attacker with valid admin credentials and CLI access (via SSH, console, or REST API) could craft a specially-formed CLI command that escapes the Lua script execution restrictions, allowing arbitrary script code to run with the same privileges as the FortiOS/FortiProxy process. This requires the attacker to already have high-privilege access to the device.

Prerequisites

Valid administrator or operator CLI credentials
Network or console access to the Fortinet device (SSH, console terminal, or REST API access)
Knowledge that the target is running a vulnerable FortiOS or FortiProxy version

Requires high privilege (admin credentials)Low complexity to exploit once insideCan bypass audit and control mechanismsAffects security appliances that protect network perimeter

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (9)

9 with fix

ProductAffected VersionsFix Status

FortiOS7.6.0 - 7.6.27.6.3+

FortiOS7.4.0 - 7.4.77.4.8+

FortiOS7.2.0 - 7.2.107.2.11+

FortiOS7.0.0 - 7.0.167.0.17+

FortiOS6.4 all versionsMigrate to fixed release

FortiProxy7.6.0 - 7.6.37.6.4+

FortiProxy7.4.0 - 7.4.107.4.11+

FortiProxy7.2.0 - 7.2.147.2.15+

Remediation & Mitigation

0/7

Do now

0/2

FortiOS

WORKAROUNDDisable or restrict SSH and REST API access to FortiOS/FortiProxy management interfaces to trusted networks only, using firewall rules if possible

All products

HARDENINGRestrict CLI access to your Fortinet devices to a minimal set of trusted administrators and remove unnecessary service accounts with admin privileges

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

FortiOS

HOTFIXUpdate FortiOS to version 7.6.3 or later (7.6.x), 7.4.8 or later (7.4.x), 7.2.11 or later (7.2.x), or 7.0.17 or later (7.0.x)

HOTFIXMigrate FortiOS 6.4 installations to a supported fixed release (7.0.17 or later, 7.2.11 or later, 7.4.8 or later, or 7.6.3 or later)

FortiProxy

HOTFIXUpdate FortiProxy to version 7.6.4 or later (7.6.x), 7.4.11 or later (7.4.x), or 7.2.15 or later (7.2.x)

HOTFIXMigrate FortiProxy 7.0 installations to a supported fixed release (7.2.15 or later, 7.4.11 or later, or 7.6.4 or later)

Long-term hardening

0/1

HARDENINGReview and audit CLI access logs for suspicious script execution commands, especially any with Lua script content

CVEs (1)

CVE-2025-67862

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fc141657-39af-4e0f-a90f-c1fa31829d45

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.