A Critical Security Alert: Fortinet has unveiled essential updates that address a significant vulnerability in FortiSIEM, which could potentially allow an unauthorized attacker to execute code remotely on affected systems without needing authentication. This flaw, classified as CVE-2025-64155, has received a concerning severity rating of 9.4 out of 10.0 on the Common Vulnerability Scoring System (CVSS).
According to Fortinet, this vulnerability arises from a flaw in how certain commands are processed within FortiSIEM, specifically referred to as an 'OS command injection' vulnerability. It permits an attacker who lacks proper credentials to execute unauthorized commands or code through specially crafted TCP requests. The detailed advisory can be found in their bulletin here.
The security issue is confined to Super and Worker nodes, and Fortinet has rolled out fixes in the following versions:
- FortiSIEM 6.7.0 to 6.7.10: Users should migrate to a patched release.
- FortiSIEM 7.0.0 to 7.0.4: Users need to upgrade to a fixed release.
- FortiSIEM 7.1.0 to 7.1.8: An upgrade to version 7.1.9 or higher is necessary.
- FortiSIEM 7.2.0 to 7.2.6: Users must upgrade to 7.2.7 or above.
- FortiSIEM 7.3.0 to 7.3.4: Upgrade to 7.3.5 or later.
- FortiSIEM 7.4.0: Upgrade to 7.4.1 or better.
- FortiSIEM 7.5 and FortiSIEM Cloud: These versions are not impacted by this vulnerability.
Zach Hanley, a security researcher with Horizon3.ai who discovered and reported this vulnerability on August 14, 2025, explained that it consists of two critical components:
- An unauthenticated argument injection vulnerability leading to arbitrary file writing, enabling remote code execution as an administrator.
- A privilege escalation vulnerability allowing an attacker to gain root access, effectively compromising the entire appliance.
The heart of the issue lies with FortiSIEM's phMonitor service, a key backend process responsible for monitoring system health, distributing tasks, and facilitating communication between nodes through TCP port 7900. This service mishandles incoming requests, particularly those related to logging security events in Elasticsearch, thereby invoking a shell script with user-controlled parameters. This vulnerability opens a pathway for argument injection via tools like curl, which can be exploited to write arbitrary files to disk under the context of the admin user.
An attacker could leverage this limited file write capability to gain full control over the system. For example, they could use the curl argument injection to embed a reverse shell script at the writable location of "/opt/charting/redishb.sh," a file that is executed every minute through a cron job running with root privileges. Consequently, this allows the attacker to escalate their privileges from admin to root, granting them complete access to the FortiSIEM appliance. A crucial aspect of this attack is that the phMonitor service exposes several command handlers that do not require any form of authentication, making it alarmingly easy for an assailant to exploit these functions if they can access port 7900 over the network.
In addition to this alarming vulnerability in FortiSIEM, Fortinet has also addressed another severe security flaw in FortiFone (CVE-2025-47855) that could enable an unauthenticated attacker to extract device configurations through a specially crafted HTTP(S) request directed at the Web Portal page. This issue also carries a high CVSS score of 9.3 and impacts the following versions of the enterprise communication platform:
- FortiFone 3.0.13 to 3.0.23: Upgrade to 3.0.24 or higher.
- FortiFone 7.0.0 to 7.0.1: Upgrade to 7.0.2 or beyond.
- FortiFone 7.2: Not affected by this vulnerability.
For optimal protection, users are strongly encouraged to update to the latest versions. To mitigate risks associated with CVE-2025-64155 in the meantime, Fortinet recommends restricting access to the phMonitor port (7900).
What do you think about the implications of these vulnerabilities? Are companies doing enough to protect their systems against such threats? Share your thoughts below and join the conversation!
If you found this information valuable, consider following us on Google News, Twitter, and LinkedIn for more exclusive updates and insights.
