Fortinet is warning a couple of distant unauthenticated command injection flaw in FortiSIEM that has in-the-wild exploit code, making it crucial for admins to use the newest security updates.
FortiSIEM is a central security monitoring and analytics system used for logging, community telemetry, and security incident alerts, serving as an integral a part of security operation facilities, the place it is a necessary device within the palms of IT ops groups and analysts.
The product is usually utilized by governments, massive enterprises, monetary establishments, healthcare suppliers, and managed security service suppliers (MSSPs).
The flaw, tracked as CVE-2025-25256 and rated crucial (CVSS: 9.8), impacts a number of branches of SIEM, from 5.4 as much as 7.3.
“An improper neutralization of particular components utilized in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM might permit an unauthenticated attacker to execute unauthorized code or instructions through crafted CLI requests,” describes Fortinet.
Whereas Fortinet doesn’t outright state that the flaw was exploited as a zero-day, they did affirm that useful exploit code exists for the flaw.
“Sensible exploit code for this vulnerability was discovered within the wild,” famous the seller.
Fortinet says exploitation of this flaw doesn’t produce distinctive IOCs to find out if a tool has been compromised.
This disclosure comes a day after GreyNoise warned of a large spike in brute-force assaults focusing on Fortinet SSL VPNs earlier this month, adopted by a swap to FortiManager. The community risk intelligence firm warned that spikes of malicious visitors usually precede the disclosure of a brand new vulnerability.
It’s unclear if Fortinet’s disclosure of CVE-2025-25256 is said to GreyNoise’s report.
Given the provision of an exploit proof of idea (PoC), organizations should apply the newest security updates for CVE-2025-25256 as quickly as attainable by upgrading to one of many following FortiSIEM variations:
- FortiSIEM 7.3.2
- FortiSIEM 7.2.6
- FortiSIEM 7.1.8
- FortiSIEM 7.0.4
- FortiSIEM 6.7.10
FortiSIEM variations 5.4 to six.6 are additionally weak in all variations, however they’re not supported and won’t obtain a patch for the flaw. Directors managing older FortiSIEM variations are suggested emigrate to a more moderen, actively supported launch.
Fortinet additionally included a workaround of limiting entry to the phMonitor on port 7900, indicating that that is the entry level for malicious exploitation.
It is essential to notice that such workarounds scale back publicity and purchase time till an improve will be carried out. Nevertheless, they don’t repair the underlying vulnerability.
46% of environments had passwords cracked, practically doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration tendencies.
