Fortinet has released security updates to address a critical vulnerability in FortiSIEM that could allow an unauthenticated attacker to execute arbitrary code on affected systems. The flaw, tracked as CVE-2025-64155, carries a CVSS score of 9.4, indicating a high severity risk.
According to Fortinet’s advisory, the issue stems from an OS command injection vulnerability (CWE-78) caused by improper neutralization of special elements in operating system commands. Exploitation is possible via crafted TCP requests, enabling attackers to execute unauthorized commands without authentication.
Affected Components and Versions
The vulnerability impacts FortiSIEM Super and Worker nodes only. The following versions are affected:
-
FortiSIEM 6.7.0 – 6.7.10 (Migrate to a fixed release)
-
FortiSIEM 7.0.0 – 7.0.4 (Migrate to a fixed release)
-
FortiSIEM 7.1.0 – 7.1.8 (Upgrade to 7.1.9 or later)
-
FortiSIEM 7.2.0 – 7.2.6 (Upgrade to 7.2.7 or later)
-
FortiSIEM 7.3.0 – 7.3.4 (Upgrade to 7.3.5 or later)
-
FortiSIEM 7.4.0 (Upgrade to 7.4.1 or later)
The following versions are not affected:
-
FortiSIEM 7.5
-
FortiSIEM Cloud
Technical Details of the Exploit Chain
The vulnerability was discovered and responsibly disclosed by Zach Hanley, a security researcher at Horizon3.ai, on August 14, 2025. The exploit chain consists of two key stages:
-
Unauthenticated argument injection, leading to arbitrary file writes and remote code execution as the admin user.
-
Privilege escalation via file overwrite, ultimately granting root-level access to the appliance.
At the core of the issue is the phMonitor service, a backend component responsible for system health monitoring, task coordination, and inter-node communication over TCP port 7900. Certain command handlers exposed by this service do not enforce authentication.
When processing specific logging-related requests, phMonitor invokes a shell script using user-controlled parameters, which enables argument injection via curl. This allows attackers to write arbitrary files to disk in the context of the admin user.
Attackers can exploit this behavior to write a malicious reverse shell to /opt/charting/redishb.sh — a file that is writable by the admin user and executed every minute by a root-level cron job. This effectively escalates privileges from admin to root, resulting in full system compromise.
Additional Fortinet Advisory: FortiFone Vulnerability
Fortinet also addressed another critical flaw in FortiFone, tracked as CVE-2025-47855 (CVSS score: 9.3). This issue could allow an unauthenticated attacker to retrieve device configuration data via a crafted HTTP(S) request to the Web Portal.
Affected FortiFone versions include:
-
FortiFone 3.0.13 – 3.0.23 (Upgrade to 3.0.24 or later)
-
FortiFone 7.0.0 – 7.0.1 (Upgrade to 7.0.2 or later)
FortiFone 7.2 is not affected.
Mitigation and Recommendations
Fortinet strongly recommends upgrading to the latest fixed versions to fully mitigate these vulnerabilities. As a temporary workaround for CVE-2025-64155, customers should restrict network access to the phMonitor service on TCP port 7900.
Given the severity and unauthenticated nature of the exploit, immediate patching is strongly advised.