Fortinet has launched updates to repair a crucial security flaw impacting FortiSIEM that might permit an unauthenticated attacker to attain code execution on prone cases.
The working system (OS) injection vulnerability, tracked as CVE-2025-64155, is rated 9.4 out of 10.0 on the CVSS scoring system.
“An improper neutralization of particular components utilized in an OS command (‘OS command injection’) vulnerability [CWE-78] in FortiSIEM could permit an unauthenticated attacker to execute unauthorized code or instructions by way of crafted TCP requests,” the corporate mentioned in a Tuesday bulletin.
Fortinet mentioned the vulnerability impacts solely Tremendous and Employee nodes, and that it has been addressed within the following variations –
- FortiSIEM 6.7.0 by 6.7.10 (Migrate to a set launch)
- FortiSIEM 7.0.0 by 7.0.4 (Migrate to a set launch)
- FortiSIEM 7.1.0 by 7.1.8 (Improve to 7.1.9 or above)
- FortiSIEM 7.2.0 by 7.2.6 (Improve to 7.2.7 or above)
- FortiSIEM 7.3.0 by 7.3.4 (Improve to 7.3.5 or above)
- FortiSIEM 7.4.0 (Improve to 7.4.1 or above)
- FortiSIEM 7.5 (Not affected)
- FortiSIEM Cloud (Not affected)
Horizon3.ai security researcher Zach Hanley, who’s credited with discovering and reporting the flaw on August 14, 2025, mentioned it includes two shifting components –
- An unauthenticated argument injection vulnerability that results in arbitrary file write, permitting for distant code execution because the admin consumer
- A file overwrite privilege escalation vulnerability that results in root entry and fully compromises the equipment
Particularly, the issue has to do with how FortiSIEM’s phMonitor service – a vital backend course of chargeable for well being monitoring, job distribution, and inter-node communication by way of TCP port 7900 – handles incoming requests associated to logging security occasions to Elasticsearch.
This, in flip, invokes a shell script with user-controlled parameters, thereby opening the door to argument injection by way of curl and reaching arbitrary file writes to the disk within the context of the admin consumer.
This restricted file write may be weaponized to attain full system takeover weaponizing the curl argument injection to put in writing a reverse shell to “/choose/charting/redishb.sh,” a file that is writable by an admin consumer and is executed each minute by the equipment via a cron job that runs with root-level permissions.
In different phrases, writing a reverse shell to this file permits privilege escalation from admin to root, granting the attacker unfettered entry to the FortiSIEM equipment. Crucial side of the assault is that the phMonitor service exposes a number of command handlers that don’t require authentication. This makes it simple for an attacker to invoke these capabilities just by acquiring community entry to port 7900.
Fortinet has additionally shipped fixes for one more crucial security vulnerability in FortiFone (CVE-2025-47855, CVSS rating: 9.3) that might permit an unauthenticated attacker to acquire gadget configuration by way of a specifically crafted HTTP(S) request to the Net Portal web page. It impacts the next variations of the enterprise communications platform –
- FortiFone 3.0.13 by 3.0.23 (Improve to three.0.24 or above)
- FortiFone 7.0.0 by 7.0.1 (Improve to 7.0.2 or above)
- FortiFone 7.2 (Not affected)
Customers are suggested to replace to the newest variations for optimum safety. As workarounds for CVE-2025-64155, Fortinet is recommending that prospects restrict entry to the phMonitor port (7900).
