Fortinet has issued critical security updates to address a severe OS command injection vulnerability (CVE-2025-64155) in its FortiSIEM product. This flaw, rated 9.4 out of 10.0 on the CVSS scale, could allow unauthenticated attackers to execute arbitrary code on vulnerable systems through crafted network requests, posing a significant risk to organizational security. The company urges users to apply patches promptly to mitigate this threat.
The vulnerability resides within FortiSIEM’s Super and Worker nodes, affecting specific versions of the platform. According to Fortinet’s advisories, the vulnerability has been addressed in versions 6.7.11 and above for FortiSIEM 6.7, 7.0.5 and above for FortiSIEM 7.0, 7.1.9 and above for FortiSIEM 7.1, 7.2.7 and above for FortiSIEM 7.2, 7.3.5 and above for FortiSIEM 7.3, and 7.4.1 and above for FortiSIEM 7.4. FortiSIEM 7.5 and FortiSIEM Cloud are not affected. Users are advised to migrate or upgrade to the recommended fixed releases to ensure their systems are protected.
FortiSIEM Vulnerability Allows Remote Code Execution
The critical OS command injection flaw, CVE-2025-64155, stems from improper handling of special elements within OS commands by FortiSIEM. This oversight permits an unauthenticated attacker to inject unauthorized commands or code by sending specially crafted TCP requests to susceptible FortiSIEM instances. The discovery and reporting of this vulnerability are credited to Horizon3.ai security researcher Zach Hanley, who identified it on August 14, 2025.
Hanley’s analysis reveals that the exploit involves two primary stages. Initially, an unauthenticated argument injection vulnerability in the phMonitor service allows for arbitrary file writes, enabling remote code execution as an administrator. Subsequently, a file overwrite privilege escalation vulnerability grants root access, leading to a complete compromise of the affected appliance.
Technical Breakdown of the FortiSIEM Exploit
The core of the issue lies in how FortiSIEM’s phMonitor service, responsible for health monitoring and inter-node communication via TCP port 7900, processes requests related to logging security events to Elasticsearch. This process inadvertently invokes a shell script that accepts user-controlled parameters, opening the door to argument injection through the curl utility.
This capability for arbitrary file writes, executed within the context of the admin user, can be exploited to gain full system control. Attackers can leverage the curl argument injection to write a reverse shell script to “/opt/charting/redishb.sh.” This specific file is writable by an administrator and is executed every minute by a cron job running with root privileges. By placing a reverse shell here, an attacker can escalate their privileges from administrator to root, thereby achieving unfettered access to the FortiSIEM appliance.
A key factor enabling this attack is that the phMonitor service exposes several command handlers that do not require any form of authentication. This significantly lowers the barrier to entry for attackers who can simply gain network access to port 7900 to invoke these functions.
Fortinet Addresses Multiple Critical Vulnerabilities
In addition to the FortiSIEM flaw, Fortinet has also released patches for another critical security vulnerability affecting its FortiFone enterprise communications platform. This vulnerability, tracked as CVE-2025-47855 with a CVSS score of 9.3, could allow an unauthenticated attacker to obtain sensitive device configuration details through a specially crafted HTTP(S) request to the Web Portal page.
The FortiFone vulnerability impacts specific versions of the platform, including FortiFone 3.0.13 through 3.0.23 and FortiFone 7.0.0 through 7.0.1. Users are advised to upgrade to FortiFone 3.0.24 or above, and 7.0.2 or above, respectively, to secure their systems. FortiFone 7.2 is not affected by this vulnerability.
Recommendations and Next Steps
Fortinet strongly advises all users of the affected FortiSIEM and FortiFone versions to update to the latest patched releases as soon as possible to ensure optimal protection against these critical threats. As a temporary workaround for CVE-2025-64155, Fortinet is recommending that customers restrict network access to the phMonitor port (7900) on their FortiSIEM appliances.
Organizations relying on these Fortinet products should prioritize the patching process to prevent potential exploitation. Moving forward, continuous monitoring of Fortinet’s security advisories and prompt application of security updates will be crucial for maintaining a robust cybersecurity posture. The implications of these vulnerabilities highlight the ongoing importance of vulnerability management and timely patch deployment in protecting critical infrastructure.