Fortinet has released security updates to address a critical vulnerability in FortiSIEM that could allow unauthenticated attackers to execute arbitrary code on affected systems. The flaw poses a serious risk to organizations using vulnerable FortiSIEM deployments, particularly those with exposed management services.
Vulnerability Overview
The issue, tracked as CVE-2025-64155, carries a CVSS score of 9.4, indicating critical severity. According to Fortinet, the vulnerability stems from improper neutralization of special elements used in operating system commands, classified as OS command injection (CWE-78). Exploitation is possible through specially crafted TCP requests, without requiring authentication.
The vulnerability affects only Super and Worker nodes within FortiSIEM environments.
Affected and Fixed Versions
Fortinet confirmed the following impact and remediation paths:
- FortiSIEM 6.7.0 to 6.7.10, migrate to a fixed release
- FortiSIEM 7.0.0 to 7.0.4, migrate to a fixed release
- FortiSIEM 7.1.0 to 7.1.8, upgrade to 7.1.9 or later
- FortiSIEM 7.2.0 to 7.2.6, upgrade to 7.2.7 or later
- FortiSIEM 7.3.0 to 7.3.4, upgrade to 7.3.5 or later
- FortiSIEM 7.4.0, upgrade to 7.4.1 or later
- FortiSIEM 7.5, not affected
- FortiSIEM Cloud, not affected
Technical Details
Security researcher Zach Hanley from Horizon3.ai, who reported the vulnerability in August 2025, explained that the flaw consists of two key components:
- An unauthenticated argument injection vulnerability that enables arbitrary file writing, leading to remote code execution as the admin user
- A file overwrite privilege escalation flaw that allows attackers to escalate privileges to root
The root cause lies in FortiSIEM’s phMonitor service, a backend process responsible for health monitoring and inter-node communication over TCP port 7900. The service processes certain requests without authentication and passes user-controlled parameters to a shell script. This behavior enables argument injection through curl, resulting in arbitrary file writes.
Attackers can exploit this capability by writing a malicious reverse shell to /opt/charting/redishb.sh, a file executed every minute by a root-level cron job. This results in full system compromise and root access to the appliance.
Additional Fortinet Fixes
Fortinet also addressed another critical vulnerability in FortiFone, tracked as CVE-2025-47855 with a CVSS score of 9.3. This flaw could allow unauthenticated attackers to retrieve device configuration data through a crafted HTTP or HTTPS request to the Web Portal page.
Affected FortiFone versions include:
- FortiFone 3.0.13 to 3.0.23, upgrade to 3.0.24 or later
- FortiFone 7.0.0 to 7.0.1, upgrade to 7.0.2 or later
- FortiFone 7.2, not affected
Mitigation and Security Guidance
Fortinet strongly recommends upgrading to the latest fixed versions. As a temporary workaround for CVE-2025-64155, organizations should restrict network access to phMonitor port 7900.
Horizon3.ai has also released a proof-of-concept exploit demonstrating how an unauthenticated remote attacker could leverage this vulnerability to gain full control of a FortiSIEM appliance.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
