Critical FortiSIEM Vulnerability Exposes Systems to Unauthenticated Remote Code Execution
Fortinet has recently addressed a critical security vulnerability in its FortiSIEM product, identified as CVE-2025-64155, which could allow unauthenticated attackers to execute arbitrary code on affected systems. This flaw, rated 9.4 out of 10 on the CVSS scale, underscores the severity of the issue and the urgency for users to apply the necessary patches.
Understanding CVE-2025-64155
CVE-2025-64155 is an operating system (OS) command injection vulnerability resulting from improper neutralization of special elements used in OS commands. This flaw enables unauthenticated attackers to execute unauthorized code or commands via specially crafted TCP requests. The vulnerability specifically affects the Super and Worker nodes of FortiSIEM, while Collector nodes remain unaffected.
Technical Breakdown
The vulnerability resides in FortiSIEM’s `phMonitor` service, a critical backend process responsible for health monitoring, task distribution, and inter-node communication over TCP port 7900. The issue arises from how this service handles incoming requests related to logging security events to Elasticsearch. By manipulating these requests, an attacker can invoke a shell script with user-controlled parameters, leading to argument injection via `curl` and enabling arbitrary file writes to the disk as the admin user.
This exploit can be further weaponized to achieve full system takeover. By writing a reverse shell to a specific file (`/opt/charting/redishb.sh`), which is executed every minute by a cron job with root-level permissions, an attacker can escalate privileges from admin to root, gaining complete control over the FortiSIEM appliance.
Affected Versions and Patches
The vulnerability impacts the following versions of FortiSIEM:
– 6.7.0 through 6.7.10
– 7.0.0 through 7.0.4
– 7.1.0 through 7.1.8
– 7.2.0 through 7.2.6
– 7.3.0 through 7.3.4
– 7.4.0
Fortinet has released patches to address this vulnerability in the following versions:
– 7.1.9 or above
– 7.2.7 or above
– 7.3.5 or above
– 7.4.1 or above
Notably, FortiSIEM version 7.5 and FortiSIEM Cloud are not affected by this vulnerability.
Discovery and Disclosure
The vulnerability was discovered and reported by Zach Hanley, a security researcher at Horizon3.ai, on August 14, 2025. Horizon3.ai has also released a proof-of-concept (PoC) exploit, highlighting the ease with which this vulnerability can be exploited. While there is currently no evidence of active exploitation in the wild, the availability of a PoC increases the risk of potential attacks.
Mitigation Recommendations
To mitigate the risk associated with CVE-2025-64155, Fortinet recommends the following actions:
1. Immediate Patching: Users should upgrade to the patched versions of FortiSIEM as listed above to remediate the vulnerability.
2. Restrict Access: As a temporary measure, limit access to the `phMonitor` service by restricting access to TCP port 7900.
3. Monitor Systems: Continuously monitor FortiSIEM systems for any unusual activity or unauthorized access attempts.
Broader Implications
This vulnerability is part of a series of security issues identified in Fortinet products. For instance, another critical vulnerability, CVE-2025-47855, was recently patched in FortiFone, which could allow unauthenticated attackers to obtain device configurations via specially crafted HTTP(S) requests. These recurring vulnerabilities highlight the importance of regular security assessments and prompt patch management to maintain the integrity and security of network infrastructures.
Conclusion
The discovery and patching of CVE-2025-64155 serve as a critical reminder of the ever-present threats in the cybersecurity landscape. Organizations utilizing FortiSIEM must act swiftly to apply the necessary updates and implement recommended security measures to protect their systems from potential exploitation. Staying vigilant and proactive in addressing such vulnerabilities is essential to safeguarding sensitive data and maintaining operational security.
