Critical FortiSIEM Vulnerability Exposes Systems to Remote Code Execution
On January 13, 2026, Fortinet disclosed a critical security vulnerability in its FortiSIEM platform, identified as CVE-2025-64155. This flaw allows unauthenticated attackers to execute arbitrary code remotely by sending specially crafted TCP packets to the phMonitor component on port 7900. The vulnerability arises from improper neutralization of special elements used in OS commands (CWE-78), posing a significant risk to organizations relying on FortiSIEM for security information and event management.
Understanding the Vulnerability
CVE-2025-64155 is an OS command injection vulnerability that enables remote code execution without requiring authentication. Attackers can exploit this flaw by sending malicious TCP requests to the phMonitor service, potentially leading to full system compromise. The vulnerability has been assigned a CVSS v3.1 base score of 9.4, indicating its critical severity due to factors such as network accessibility, low attack complexity, and the absence of required privileges.
Affected Versions and Recommended Actions
The vulnerability affects multiple versions of FortiSIEM, excluding Collector nodes. Fortinet has provided the following guidance for affected versions:
– FortiSIEM 7.4: Version 7.4.0 is affected. Users should upgrade to version 7.4.1 or later.
– FortiSIEM 7.3: Versions 7.3.0 through 7.3.4 are affected. Users should upgrade to version 7.3.5 or later.
– FortiSIEM 7.2: Versions 7.2.0 through 7.2.6 are affected. Users should upgrade to version 7.2.7 or later.
– FortiSIEM 7.1: Versions 7.1.0 through 7.1.8 are affected. Users should upgrade to version 7.1.9 or later.
– FortiSIEM 7.0: Versions 7.0.0 through 7.0.4 are affected. Users should migrate to a fixed release.
– FortiSIEM 6.7: Versions 6.7.0 through 6.7.10 are affected. Users should migrate to a fixed release.
FortiSIEM Cloud and version 7.5 are not affected by this vulnerability.
Mitigation Measures
Organizations unable to immediately apply the recommended updates should implement the following mitigation measures:
– Restrict Access: Limit access to TCP port 7900 to trusted internal hosts only. This can be achieved by configuring firewall rules to block unauthorized access to this port.
– Monitor Logs: Regularly audit system logs for any unusual activity, particularly focusing on traffic directed to port 7900.
– Network Segmentation: Implement least-privilege network segmentation to minimize the potential impact of a compromised system.
Reporting and Disclosure
The vulnerability was responsibly reported by security researcher Zach Hanley of Horizon3.ai under Fortinet’s vulnerability disclosure program. Fortinet has acknowledged the report and provided detailed guidance in their advisory FG-IR-25-772. As of now, there is no evidence of active exploitation of this vulnerability. However, due to its critical nature and the potential for unauthenticated remote code execution, organizations are urged to apply the necessary updates and mitigation measures promptly.
Conclusion
The disclosure of CVE-2025-64155 underscores the importance of maintaining up-to-date security systems and promptly addressing vulnerabilities. Organizations using FortiSIEM should prioritize applying the recommended updates or implementing mitigation measures to protect their systems from potential exploitation. Regular monitoring and adherence to security best practices are essential in safeguarding against such critical vulnerabilities.
