CVE-2025-58324 is a stored cross-site scripting (XSS) vulnerability identified in Fortinet's FortiSIEM product versions 6.2.0 through 7.2.2. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. An authenticated attacker with high privileges can craft malicious HTTP requests that inject persistent scripts into the FortiSIEM web interface. When other users or administrators access the affected pages, the malicious scripts execute in their browsers, potentially allowing unauthorized code or command execution within the context of the application. This can lead to session hijacking, privilege escalation, or manipulation of FortiSIEM data and operations. The vulnerability requires both authentication with high privileges and user interaction, which reduces the likelihood of remote exploitation by unauthenticated attackers. The CVSS 3.1 base score is 6.1, reflecting medium severity due to the combination of high impact on confidentiality, integrity, and availability, but mitigated by the attack complexity and required privileges. No public exploits or active exploitation in the wild have been reported as of the publication date (October 14, 2025). FortiSIEM is widely used for security information and event management, making this vulnerability significant for organizations relying on it for monitoring and incident response. The lack of patch links suggests that fixes may be pending or recently released, emphasizing the need for vigilance and timely updates.

For European organizations, this vulnerability poses a risk to the integrity and confidentiality of security monitoring data and the availability of FortiSIEM services. Successful exploitation could allow attackers to execute unauthorized commands, manipulate security alerts, or disrupt monitoring capabilities, potentially masking malicious activities or causing operational downtime. This is particularly critical for sectors such as finance, energy, telecommunications, and government agencies that depend heavily on FortiSIEM for real-time security insights. The requirement for high-privilege authentication limits exposure but insider threats or compromised credentials could enable exploitation. Additionally, the stored XSS nature means that multiple users with access to the FortiSIEM interface could be affected once the malicious payload is injected. The impact extends beyond the affected system, as compromised FortiSIEM instances could undermine broader organizational security posture and incident response effectiveness.

Organizations should immediately verify the FortiSIEM versions in use and plan to apply vendor-provided patches as soon as they become available. In the interim, restrict administrative and high-privilege access to trusted personnel only, and enforce strong authentication mechanisms such as multi-factor authentication (MFA). Implement strict input validation and sanitization on all user inputs interacting with FortiSIEM interfaces. Deploy web application firewalls (WAFs) with rules designed to detect and block XSS attack patterns targeting FortiSIEM. Monitor logs and user activities for unusual behavior indicative of exploitation attempts. Conduct regular security awareness training to reduce risks from social engineering that could lead to credential compromise. Finally, segment FortiSIEM management interfaces from general network access to limit exposure to potential attackers.