CVE-2025-31366 is a reflected cross-site scripting (XSS) vulnerability identified in Fortinet’s FortiOS, FortiProxy, and FortiSASE products across multiple versions (FortiOS 6.4.0 through 7.6.3, FortiProxy 7.0.0 through 7.6.3, and FortiSASE 25.3.a). The root cause is improper neutralization of input during web page generation, classified under CWE-79. This flaw enables an unauthenticated attacker to craft malicious HTTP requests that inject executable scripts into the web interface responses. When a legitimate user interacts with the malicious link or payload, the injected script executes in the user’s browser context, potentially leading to session hijacking, credential theft, or unauthorized actions within the web management interface. The vulnerability has a CVSS v3.1 base score of 4.5, indicating medium severity, with the vector string showing network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), and requiring user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality and integrity at a low level but does not affect availability. No known exploits have been reported in the wild as of the publication date (October 14, 2025). The vulnerability affects widely deployed Fortinet security products used for network security and secure access, which are critical components in enterprise and service provider environments.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of administrative sessions and sensitive data managed through Fortinet’s web interfaces. Successful exploitation could allow attackers to hijack administrative sessions, steal credentials, or perform unauthorized actions, potentially leading to further network compromise or data leakage. Given Fortinet’s widespread use in European enterprises, government agencies, and critical infrastructure sectors such as telecommunications and finance, the impact could be significant if exploited. However, the requirement for user interaction and high attack complexity reduces the likelihood of large-scale automated exploitation. Still, targeted phishing or social engineering campaigns could leverage this vulnerability to gain footholds in sensitive networks. The absence of known exploits in the wild currently limits immediate risk, but the presence of this vulnerability in multiple product lines and versions necessitates proactive mitigation to prevent future exploitation.

1. Apply vendor-provided patches or updates as soon as they become available for all affected Fortinet products to remediate the vulnerability. 2. Implement strict input validation and output encoding on web interfaces to prevent injection of malicious scripts. 3. Employ web application firewalls (WAFs) with rules designed to detect and block reflected XSS attack patterns targeting Fortinet management interfaces. 4. Restrict administrative access to Fortinet devices to trusted networks and use VPNs or zero-trust network access solutions to limit exposure. 5. Educate users and administrators about the risks of clicking on unsolicited or suspicious links, especially those purporting to be related to network management. 6. Monitor logs and network traffic for unusual activity indicative of attempted exploitation or phishing campaigns targeting Fortinet interfaces. 7. Consider multi-factor authentication (MFA) for administrative access to reduce risk from credential theft. 8. Regularly review and harden Fortinet device configurations to minimize attack surface and disable unnecessary services.