Caught in the FortiNet: How Attackers Can Exploit FortiClient to Compromise Organizations (2/3)

Fortinet, a prominent cybersecurity solutions provider, faces scrutiny as vulnerabilities in its key products, FortiClient and EMS, are explored, revealing how attackers can exploit these tools to gain complete organizational control. The vulnerabilities, identified as CVE-2025-22859 among others, allow authenticated attackers to upload stored XSS payloads to Linux-based EMS servers, enabling them to manipulate endpoints to connect to malicious EMS servers and potentially execute arbitrary code. Critical flaws in Fortinet's communication protocol between FortiClient and EMS are highlighted, illustrating how attackers can create arbitrary files due to the lack of input normalization, leading to stored XSS attacks despite content-type restrictions. The vulnerabilities, now patched, emphasize the importance of keeping systems updated to prevent such severe threats, with Fortinet's Product Security Incident Response Team (PSIRT) actively collaborating to address these security issues.