In August 2025, Fortinet issued an advisory for CVE-2025-25256, an OS command injection vulnerability (CWE-78) in FortiSIEM that uncovered the platform to unauthenticated distant code execution by way of crafted CLI requests.
Sensible exploits surfaced within the wild, prompting safety agency Horizon3.ai to conduct a deep investigation. Their evaluation uncovered a devastating chain: an unauthenticated argument injection vulnerability enabling arbitrary file writes and RCE because the admin person, paired with a file overwrite privilege escalation to root entry.
Fortinet assigned these CVE-2025-64155 beneath FG-IR-25-772. A proof-of-concept exploit is accessible on GitHub.
This marks one other chapter in FortiSIEM’s vulnerability saga for Horizon3.ai researchers, who’ve dissected the platform for years. Prior disclosures embrace CVE-2023-34992 (phMonitor command injection) and CVE-2024-23108 (second-order injection), detailed of their deep dives.
Though not listed in CISA’s Identified Exploited Vulnerabilities catalog, leaked Black Basta ransomware chats from earlier in 2025 referenced these flaws, indicating risk actor curiosity.
FortiSIEM Structure and phMonitor Publicity
FortiSIEM helps different deployments: all-in-one servers or supervisor-collector fashions, the place the phMonitor service handles inter-role communication over TCP/IP port 7900.
This service processes customized API messages with out authentication, mapping instructions to handlers by way of integers in phMonitorProcess::initEventHandler. Previous hardening decreased publicity, however vulnerabilities persist.
CVE-2025-64155 targets handleStorageRequest with “elastic” storage sort. Person-controlled XML tags like cluster_name and cluster_url feed into /decide/phoenix/phscripts/bin/elastic_test_url.sh.
Regardless of subprocess.run() wrappers and wrapShellToken escaping, the script’s curl invocation by way of execve permits argument injection.
By leveraging curl’s obscure –subsequent flag, attackers chain requests: –subsequent -o /decide/phoenix/bin/phLicenseTool .
This overwrites phLicenseTool executed each few seconds as a reverse shell, yielding admin entry.
VersionAffectedSolution7.4Not affectedN/A7.37.3.0-7.3.1Upgrade to 7.3.2+7.27.2.0-7.2.5Upgrade to 7.2.6+7.17.1.0-7.1.7Upgrade to 7.1.8+7.07.0.0-7.0.3Upgrade to 7.0.4+6.76.7.0-6.7.9Upgrade to six.7.10+6.6 and belowAll versionsMigrate to mounted launch
Admin shells pave the best way to root by way of cronjob abuse. The basis crontab /and many others/cron.d/fsm-crontab runs /decide/charting/redishb.sh each minute, writable by admin regardless of root execution. Overwriting it with a payload grants full compromise.
Indicators of Compromise
Monitor /decide/phoenix/log/phoenix.logs for PHL_ERROR entries logging elastic_test_url.sh abuse, together with malicious URLs and goal information (e.g., phLicenseTool overwrites).
Fortinet urges upgrades and port 7900 restrictions. Organizations ought to audit logs and patch instantly amid rising SIEM focusing on.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
