CVE-2025-31365 is a vulnerability classified as Improper Control of Generation of Code (CWE-94) affecting Fortinet's FortiClientMac software versions 7.4.0 through 7.4.3 and 7.2.1 through 7.2.8. This flaw allows an unauthenticated attacker to perform code injection by leveraging a scenario where the victim is tricked into visiting a maliciously crafted website. The vulnerability arises from insufficient validation or sanitization of input that is used to generate code dynamically, enabling the injection and execution of arbitrary commands on the victim's Mac host. The attack vector is network-based (AV:N), requiring no privileges (PR:N), but does require user interaction (UI:R) to visit the malicious site. The vulnerability has a scope change (S:C), meaning it can affect resources beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability at a low level (C:L/I:L/A:L). The CVSS 3.1 base score is 5.5, reflecting medium severity with partial impact and exploitation complexity. No public exploits have been reported yet, but the potential for exploitation exists given the widespread use of FortiClientMac in enterprise environments for VPN and endpoint security. The vulnerability highlights the risk of code injection in security client software, which could undermine endpoint defenses if exploited.

If exploited, this vulnerability could allow attackers to execute arbitrary code on Mac endpoints running vulnerable FortiClientMac versions, potentially leading to unauthorized access, data leakage, or disruption of endpoint security functions. Although the impact on confidentiality, integrity, and availability is rated low, the compromise of endpoint security software could facilitate further lateral movement or persistence within an organization's network. The requirement for user interaction reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks. Organizations relying on FortiClientMac for VPN access or endpoint protection may face increased risk of compromise, especially if users are susceptible to social engineering or phishing attacks. The vulnerability could undermine trust in endpoint security solutions and expose sensitive corporate resources to attackers.

1. Monitor Fortinet advisories closely and apply patches or updates as soon as Fortinet releases fixed versions for FortiClientMac. 2. Until patches are available, implement strict web filtering to block access to known malicious or suspicious websites to reduce the risk of user redirection to exploit sites. 3. Educate users about the risks of visiting untrusted websites and phishing attacks to reduce the likelihood of user interaction exploitation. 4. Employ endpoint detection and response (EDR) solutions capable of detecting anomalous code execution or injection attempts on Mac endpoints. 5. Restrict execution privileges on endpoints to limit the impact of arbitrary code execution. 6. Use network segmentation and least privilege principles to minimize the potential lateral movement if an endpoint is compromised. 7. Conduct regular security awareness training emphasizing safe browsing habits and recognizing social engineering attempts. 8. Review and harden FortiClientMac configurations to disable unnecessary features that could be exploited.