CVE-2025-58324 is a stored cross-site scripting (XSS) vulnerability identified in Fortinet's FortiSIEM product, versions 6.2.0 through 7.2.2. The root cause is improper neutralization of input during web page generation, classified under CWE-79. This flaw allows an authenticated attacker with high privileges to inject malicious scripts via crafted HTTP requests that are stored and later executed in the context of the FortiSIEM web interface. The vulnerability requires both authentication with high privileges and user interaction to trigger the malicious payload. Successful exploitation can lead to unauthorized code or command execution within the web application context, potentially compromising confidentiality, integrity, and availability of the FortiSIEM system. The CVSS v3.1 score is 6.1 (medium severity), reflecting the network attack vector, high attack complexity, required privileges, and user interaction. No public exploits have been reported yet, but the vulnerability poses a significant risk given FortiSIEM's role in security monitoring and incident response. FortiSIEM is widely deployed in enterprise environments to aggregate and analyze security events, making this vulnerability critical to address to prevent lateral movement or further compromise within networks.

For European organizations, the impact of CVE-2025-58324 can be substantial due to FortiSIEM's role in centralizing security event management and incident response. Exploitation could allow attackers to execute unauthorized commands or code, potentially leading to data breaches, manipulation or deletion of security logs, and disruption of security monitoring capabilities. This undermines the organization's ability to detect and respond to other threats, increasing the risk of prolonged undetected intrusions. Confidentiality is at risk as attackers may access sensitive security data; integrity is compromised through possible alteration of logs or configurations; availability may be affected if the system is destabilized or commands disrupt operations. The requirement for high privileges and user interaction somewhat limits exploitation but does not eliminate risk, especially in environments with many administrators or users with elevated rights. Given the critical nature of FortiSIEM in security infrastructure, the vulnerability could have cascading effects on overall organizational security posture.

European organizations should immediately verify their FortiSIEM versions and apply any available patches or updates from Fortinet once released. In the absence of patches, implement strict input validation and sanitization on all user-supplied data within FortiSIEM interfaces to mitigate stored XSS risks. Limit the number of users with high privilege access to FortiSIEM and enforce strong authentication mechanisms, such as multi-factor authentication (MFA), to reduce the risk of credential compromise. Conduct regular security awareness training to minimize risky user interactions that could trigger XSS payloads. Monitor FortiSIEM logs for unusual activities or signs of exploitation attempts. Employ web application firewalls (WAFs) with custom rules to detect and block malicious HTTP requests targeting FortiSIEM. Additionally, segment FortiSIEM servers within secure network zones to limit lateral movement if compromised. Finally, maintain an incident response plan tailored to FortiSIEM compromise scenarios.