Technical particulars and a public exploit have been revealed for a crucial vulnerability affecting Fortinet’s Safety Data and Occasion Administration (SIEM) answer that might be leveraged by a distant, unauthenticated attacker to execute instructions or code.
The vulnerability is tracked as CVE-2025-25256, and is a mix of two points that let arbitrary write with admin permissions and privilege escalation to root entry.
Researchers at penetration testing firm Horizon3.ai reported the security concern in mid-August 2025. In early November, Fortinet addressed it in 4 out of 5 improvement branches of the product and introduced this week that each one weak variations have been patched.
Fortinet describes the CVE-2025-25256 vulnerability as “an improper neutralization of particular components utilized in an OS command vulnerability in FortiSIEM could enable an unauthenticated attacker to execute unauthorized code or instructions by way of crafted TCP requests.”
Horizon3.ai has revealed an in depth write-up explaining that the foundation reason behind the difficulty is the publicity of dozens of command handlers on the phMonitor service, which might be invoked remotely with out authentication.
The researchers say that this service has been the entry level for a number of FortiSIEM vulnerabilities over a number of years, like CVE-2023-34992 and CVE-2024-23108, and underline that ransomware teams like Black Basta have beforehand proven honest curiosity in these flaws.
Together with technical particulars about CVE-2025-25256, the researchers have additionally revealed a demonstrative exploit. For the reason that vendor delivered the repair and revealed a security advisory, the researchers determined to share the exploit code.
The flaw impacts FortiSIEM variations from 6.7 to 7.5, and fixes had been made accessible to the next releases:
- FortiSIEM 7.4.1 or above
- FortiSIEM 7.3.5 or above
- FortiSIEM 7.2.7 or above
- FortiSIEM 7.1.9 or above
FortiSIEM 7.0 and 6.7.0 are additionally impacted however are not supported, in order that they received’t obtain a repair for CVE-2025-25256.
Fortinet clarified that this flaw doesn’t affect FortiSIEM 7.5 and FortiSIEM Cloud.
The one workaround offered by the seller for these unable to use the security replace instantly is to restrict entry to the phMonitor port (7900).
Horizon3.ai has additionally shared indicators of compromise that may assist corporations detect compromised programs. Wanting on the logs for the messages obtained by phMonitor (/choose/phoenix/log/phoenix.logs), the road with ‘PHL_ERROR’ ought to embrace the URL for the payload and the file it’s written to.
It is finances season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the yr forward. This report compiles their insights, permitting readers to benchmark methods, determine rising tendencies, and examine their priorities as they head into 2026.
Find out how high leaders are turning funding into measurable affect.
