Critical Fortinet FortiSIEM Vulnerability (CVE-2025-64155) Under Active Exploitation
A critical security vulnerability, identified as CVE-2025-64155, has been discovered in Fortinet’s FortiSIEM platform. This flaw is currently being actively exploited, posing significant risks to organizations relying on FortiSIEM for security information and event management.
Understanding CVE-2025-64155
CVE-2025-64155 is an OS command injection vulnerability within the phMonitor service of FortiSIEM. This service facilitates internal data exchange between Super and Worker nodes. The vulnerability arises from improper neutralization of special elements in OS commands, allowing unauthenticated attackers to execute arbitrary commands remotely. By sending specially crafted TCP requests to port 7900, attackers can exploit this flaw to perform unauthorized actions on the affected system.
Technical Details
The phMonitor service, which listens on TCP port 7900, is responsible for monitoring the health of FortiSIEM processes. The vulnerability is specifically located in the function ‘phMonitorProcess::handleStorageArchiveRequest’ and stems from inadequate sanitization of user inputs through the ShellCmd::addParaSafe function, which only escaped quotes rather than implementing proper command injection protection. ([wiz.io](https://www.wiz.io/vulnerability-database/cve/cve-2025-25256?utm_source=openai))
Impact of the Vulnerability
Exploitation of CVE-2025-64155 can lead to severe consequences, including:
– Full System Compromise: Attackers can gain root-level access, allowing them to control the entire system.
– Data Exfiltration: Sensitive information stored within the FortiSIEM system can be accessed and extracted.
– Lateral Movement: With control over FortiSIEM, attackers can pivot to other systems within the network.
– Disruption of Security Monitoring: By compromising FortiSIEM, attackers can disable or manipulate security monitoring, leaving organizations blind to further malicious activities.
Affected Versions
The following versions of FortiSIEM are affected by this vulnerability:
– FortiSIEM 6.7.0 through 6.7.10
– FortiSIEM 7.0.0 through 7.0.4
– FortiSIEM 7.1.0 through 7.1.8
– FortiSIEM 7.2.0 through 7.2.6
– FortiSIEM 7.3.0 through 7.3.4
– FortiSIEM 7.4.0
FortiSIEM version 7.5 and FortiSIEM Cloud are not affected.
Exploitation in the Wild
Security researchers have observed active exploitation of this vulnerability. Defused, a cybersecurity firm, confirmed attacks targeting their honeypot deployments shortly after the patch release. These attacks involved payloads embedding second-stage infrastructure within injection strings, indicating sophisticated exploitation attempts.
Indicators of compromise (IoCs) associated with these attacks include specific IP addresses from various organizations, such as Baxet Group Inc., Siamdata Communication, Contabo, China Mobile Communications Group, Tencent, and IDC, China Telecommunications Corporation.
Mitigation and Recommendations
To protect against this vulnerability, organizations should take the following steps:
1. Immediate Patching: Upgrade FortiSIEM to a fixed release as specified in Fortinet’s advisory.
2. Restrict Access: As a temporary measure, restrict external access to TCP port 7900 to prevent exploitation.
3. Monitor Logs: Regularly review phMonitor logs for any anomalies or unauthorized access attempts.
4. Implement Network Segmentation: Limit the exposure of critical services by segmenting the network appropriately.
5. Stay Informed: Keep abreast of updates from Fortinet and apply patches promptly as they become available.
Conclusion
The active exploitation of CVE-2025-64155 underscores the critical importance of timely vulnerability management. Organizations utilizing FortiSIEM must act swiftly to mitigate this threat by applying patches, restricting access, and monitoring for signs of compromise. Proactive measures are essential to maintain the integrity and security of enterprise monitoring systems.
