CVE-2025-31366 is a reflected cross-site scripting (XSS) vulnerability identified in Fortinet FortiProxy and FortiOS products, specifically versions 7.6.0 through 7.6.3, 7.4.0 through 7.4.8, 7.2 all versions, 7.0 all versions, and 6.4 all versions for FortiOS, as well as FortiSASE 25.2.a. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79, which allows an unauthenticated attacker to craft malicious HTTP requests that inject executable scripts into the web interface responses. When a victim interacts with the crafted link or page, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions within the web interface. The attack vector is network-based (AV:N), requires high attack complexity (AC:H), no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. The impact on confidentiality and integrity is low (C:L/I:L), with no impact on availability (A:N). No known exploits have been reported in the wild, but the vulnerability is publicly disclosed as of October 14, 2025. Fortinet has not yet published patches or mitigation details, increasing the urgency for defensive measures. The vulnerability affects widely deployed Fortinet products used for secure web proxying and network security, making it relevant for organizations relying on FortiProxy and FortiOS for perimeter defense and secure access.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of user sessions and data accessed through FortiProxy and FortiOS web interfaces. Successful exploitation could allow attackers to execute arbitrary scripts in the context of administrative or user sessions, potentially leading to credential theft, session hijacking, or unauthorized configuration changes. While availability is not directly impacted, the compromise of administrative interfaces could lead to broader security breaches. Organizations in sectors such as finance, government, telecommunications, and critical infrastructure that rely heavily on Fortinet products for secure network access and web filtering are particularly at risk. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments with high user exposure to phishing or social engineering. The lack of known exploits in the wild currently reduces immediate threat but does not preclude future exploitation attempts. The medium CVSS score reflects moderate risk, but the strategic importance of affected systems in European networks elevates the need for prompt mitigation.

European organizations should immediately audit their Fortinet FortiProxy and FortiOS deployments to identify affected versions. Until patches are available, implement strict input validation and output encoding on web interfaces to reduce XSS risk. Employ web application firewalls (WAFs) with rules targeting reflected XSS patterns specific to Fortinet interfaces. Enforce multi-factor authentication (MFA) for administrative access to limit impact if credentials are compromised. Educate users and administrators about phishing risks and the dangers of interacting with suspicious links. Monitor logs for unusual HTTP request patterns indicative of attempted exploitation. Segregate management interfaces from general user networks and restrict access via VPN or IP whitelisting. Stay updated with Fortinet advisories for patches and apply them promptly once released. Consider deploying Content Security Policy (CSP) headers to mitigate script injection impacts. Regularly review and update incident response plans to include scenarios involving web interface compromise.