Jan 14, 2026Ravie LakshmananVulnerability / Patch Administration
Fortinet has launched updates to repair a crucial safety flaw impacting FortiSIEM that would permit an unauthenticated attacker to realize code execution on inclined situations.
The working system (OS) injection vulnerability, tracked as CVE-2025-64155, is rated 9.4 out of 10.0 on the CVSS scoring system.
“An improper neutralization of particular parts utilized in an OS command (‘OS command injection’) vulnerability [CWE-78] in FortiSIEM might permit an unauthenticated attacker to execute unauthorized code or instructions through crafted TCP requests,” the corporate mentioned in a Tuesday bulletin.
Fortinet mentioned the vulnerability impacts solely Tremendous and Employee nodes, and that it has been addressed within the following variations –
FortiSIEM 6.7.0 by way of 6.7.10 (Migrate to a set launch)
FortiSIEM 7.0.0 by way of 7.0.4 (Migrate to a set launch)
FortiSIEM 7.1.0 by way of 7.1.8 (Improve to 7.1.9 or above)
FortiSIEM 7.2.0 by way of 7.2.6 (Improve to 7.2.7 or above)
FortiSIEM 7.3.0 by way of 7.3.4 (Improve to 7.3.5 or above)
FortiSIEM 7.4.0 (Improve to 7.4.1 or above)
FortiSIEM 7.5 (Not affected)
FortiSIEM Cloud (Not affected)
Horizon3.ai safety researcher Zach Hanley, who’s credited with discovering and reporting the flaw on August 14, 2025, mentioned it contains two transferring components –
An unauthenticated argument injection vulnerability that results in arbitrary file write, permitting for distant code execution because the admin consumer
A file overwrite privilege escalation vulnerability that results in root entry and utterly compromises the equipment
Particularly, the issue has to do with how FortiSIEM’s phMonitor service – a vital backend course of liable for well being monitoring, job distribution, and inter-node communication through TCP port 7900 – handles incoming requests associated to logging safety occasions to Elasticsearch.
This, in flip, invokes a shell script with user-controlled parameters, thereby opening the door to argument injection through curl and reaching arbitrary file writes to the disk within the context of the admin consumer.
This restricted file write could be weaponized to realize full system takeover weaponizing the curl argument injection to write down a reverse shell to “/choose/charting/redishb.sh,” a file that is writable by an admin consumer and is executed each minute by the equipment by way of a cron job that runs with root-level permissions.
In different phrases, writing a reverse shell to this file allows privilege escalation from admin to root, granting the attacker unfettered entry to the FortiSIEM equipment. A very powerful side of the assault is that the phMonitor service exposes a number of command handlers that don’t require authentication. This makes it simple for an attacker to invoke these capabilities just by acquiring community entry to port 7900.
Fortinet has additionally shipped fixes for an additional crucial safety vulnerability in FortiFone (CVE-2025-47855, CVSS rating: 9.3) that would permit an unauthenticated attacker to acquire gadget configuration through a specifically crafted HTTP(S) request to the Net Portal web page. It impacts the next variations of the enterprise communications platform –
FortiFone 3.0.13 by way of 3.0.23 (Improve to three.0.24 or above)
FortiFone 7.0.0 by way of 7.0.1 (Improve to 7.0.2 or above)
FortiFone 7.2 (Not affected)
Customers are suggested to replace to the newest variations for optimum safety. As workarounds for CVE-2025-64155, Fortinet is recommending that prospects restrict entry to the phMonitor port (7900).
