CVE-2025-31366 is a reflected cross-site scripting (XSS) vulnerability identified in Fortinet FortiProxy and FortiOS products spanning versions 6.4 all versions through 7.6.3. The root cause is improper neutralization of input during web page generation, classified under CWE-79. This vulnerability allows an unauthenticated attacker to send specially crafted HTTP requests that cause malicious scripts to be reflected back and executed in the victim’s browser context. The vulnerability affects FortiProxy versions 7.0.0, 7.2.0, 7.4.0, and 7.6.0 through 7.6.3, as well as FortiOS versions 6.4, 7.0, 7.2, 7.4, and 7.6.0 through 7.6.3, and FortiSASE 25.2.a. The attack vector is network-based (AV:N), requires high attack complexity (AC:H), no privileges (PR:N), but requires user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. The impact on confidentiality and integrity is low (C:L, I:L), with no impact on availability (A:N). The vulnerability has a CVSS v3.1 base score of 4.5, indicating medium severity. No known exploits are currently reported in the wild. The vulnerability could be leveraged for session hijacking, phishing, or other social engineering attacks by executing malicious scripts in users’ browsers when they interact with crafted URLs or web content served by the vulnerable Fortinet products. This can undermine user trust and potentially lead to further compromise if combined with other attack vectors.

For European organizations, the impact of CVE-2025-31366 is primarily related to confidentiality and integrity risks stemming from reflected XSS attacks. Successful exploitation could allow attackers to steal session cookies, perform actions on behalf of authenticated users, or redirect users to malicious sites, facilitating phishing or malware delivery. Organizations relying on Fortinet FortiProxy and FortiOS for secure web gateway, proxy, or firewall functions may see their users targeted, especially in environments where these products are exposed to the internet or used as part of web filtering. The vulnerability does not directly affect availability but can degrade trust in security infrastructure. Given Fortinet’s strong market presence in Europe, particularly in sectors like finance, government, and critical infrastructure, exploitation could have cascading effects on sensitive data confidentiality and operational integrity. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in phishing-prone environments. The medium severity rating suggests moderate urgency but should not be ignored, especially in high-value target organizations.

1. Apply official patches and updates from Fortinet as soon as they are released for the affected FortiProxy and FortiOS versions. 2. Implement strict input validation and output encoding on all web interfaces to prevent injection of malicious scripts. 3. Deploy Web Application Firewalls (WAFs) with rules specifically designed to detect and block reflected XSS payloads targeting Fortinet products. 4. Restrict access to FortiProxy and FortiOS management interfaces to trusted networks and use VPNs or zero-trust access models to reduce exposure. 5. Educate end users and administrators about phishing risks and the dangers of clicking on suspicious links, especially those that may trigger reflected XSS attacks. 6. Monitor logs and network traffic for unusual HTTP requests that may indicate attempted exploitation. 7. Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers interacting with Fortinet web interfaces. 8. Regularly review and harden Fortinet device configurations to minimize attack surface and disable unnecessary web services or features that could be exploited.