CVE-2025-31365 is a code injection vulnerability classified under CWE-94 affecting Fortinet's FortiClientMac versions 7.4.0 through 7.4.3 and 7.2.1 through 7.2.8. The flaw arises from improper control over code generation, allowing an attacker to inject and execute arbitrary code on the victim’s macOS host. Exploitation requires no authentication but depends on social engineering to trick users into visiting a malicious website, which then triggers the code injection. The vulnerability impacts confidentiality, integrity, and availability by potentially allowing attackers to run unauthorized commands or code, compromising the system and data. The CVSS 3.1 score is 5.5 (medium), reflecting network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. Currently, no public exploits or active exploitation in the wild have been reported, but the potential for targeted attacks remains. FortiClientMac is widely used in enterprise environments for endpoint security on macOS, making this vulnerability relevant for organizations relying on Fortinet’s security ecosystem. The vulnerability was reserved in March 2025 and published in October 2025, with no patch links yet provided, indicating that remediation may still be pending or in progress.

For European organizations, this vulnerability poses a risk of unauthorized code execution on macOS endpoints protected by FortiClientMac, potentially leading to data breaches, lateral movement within networks, or disruption of services. The requirement for user interaction limits mass exploitation but increases risk from targeted phishing or watering hole attacks. Confidentiality could be compromised by data exfiltration, integrity by unauthorized changes to system or application files, and availability by disruption or destruction of services. Organizations in sectors with high macOS usage and critical infrastructure, such as finance, government, and technology, may face elevated risks. The vulnerability could undermine trust in endpoint security solutions and lead to compliance issues under regulations like GDPR if personal data is exposed. The lack of known exploits currently reduces immediate threat but does not eliminate the risk of future weaponization.

European organizations should proactively monitor Fortinet advisories for patches addressing CVE-2025-31365 and apply updates promptly once available. Until patches are released, implement network-level protections such as web filtering to block access to suspicious or untrusted websites that could host malicious payloads. Enhance user awareness training focused on phishing and social engineering tactics to reduce the likelihood of users visiting malicious sites. Employ endpoint detection and response (EDR) tools to identify unusual process behaviors indicative of code injection. Restrict execution privileges on macOS endpoints to limit the impact of potential code execution. Consider isolating or segmenting macOS devices running FortiClientMac in sensitive environments to contain potential compromises. Regularly audit and review FortiClientMac configurations to ensure minimal exposure to attack vectors. Maintain comprehensive logging and monitoring to detect early signs of exploitation attempts.