Fortinet FortiSIEM Vulnerability CVE-2025-64155 Actively Exploited in Attacks

Posted on By CWS

Fortinet FortiSIEM vulnerability CVE-2025-64155 is underneath lively exploitation, as confirmed by Defused by means of their honeypot deployments.

This important OS command injection flaw allows unauthenticated distant code execution, posing extreme dangers to enterprise safety monitoring methods.

CVE-2025-64155 stems from improper neutralization of particular components in OS instructions throughout the FortiSIEM phMonitor service, which handles inside information alternate throughout Tremendous and Employee nodes.

Attackers ship crafted TCP requests to port 7900, concentrating on storage configuration endpoints with an elastic kind set, injecting arguments right into a curl command by way of XML payloads for arbitrary file writes because the admin consumer.

A chained privilege escalation permits root entry by overwriting executed binaries.

Proof-of-concept code is public on GitHub, demonstrating full RCE chains. Fortinet’s advisory confirms no affect on Cloud or Collector nodes.

Product VersionAffected RangeFixed Model fortiguard+1​FortiSIEM 6.76.7.0 by means of 6.7.10Migrate to a set releaseFortiSIEM 7.07.0.0 by means of 7.0.4Migrate to a set releaseFortiSIEM 7.17.1.0 by means of 7.1.87.1.9 or aboveFortiSIEM 7.27.2.0 by means of 7.2.67.2.7 or aboveFortiSIEM 7.37.3.0 by means of 7.3.47.3.5 or aboveFortiSIEM 7.47.4.07.4.1 or aboveFortiSIEM 7.5Not affectedN/AFortiSIEM CloudNot affectedN/A

Defused detected focused assaults hitting honeypots shortly after patch launch, with payloads embedding second-stage infrastructure in injection strings.

Exploit makes an attempt log in /choose/phoenix/log/phoenix.log as PHL_ERROR entries exhibiting attacker URLs and file paths. The flaw’s unauthenticated nature and SIEM publicity amplify dangers, enabling log tampering, information exfiltration, or lateral motion.

Lively Exploitation (Supply: Defused)

Current indicators of compromise from Defused scans embrace:

IP AddressASN/Group 167.17.179[.]109Baxet Group Inc.103.224.84[.]76Siamdata Communication209.126.11[.]25Contabo120.231.127[.]227China Cell Communications Group129.226.190[.]169Tencent220.181.41[.]80IDC, China Telecommunications Company

Pattern payloads mimic elastic storage configs, like XML with cluster names (“test-cluster”), reproduction counts (4), and elasticsearch service checks, injecting by way of shard quantity or URI params. No CISA KEV itemizing but, however 23 prior Fortinet flaws are actively exploited.

Organizations should improve Tremendous/Employee nodes instantly per Fortinet’s advisory. Block exterior entry to TCP 7900 as a workaround. Monitor phMonitor logs for anomalies and scan for IOCs utilizing EDR instruments.

Fortinet urges prioritization given PoC availability and historic concentrating on. Enterprises counting on FortiSIEM for risk detection face irony: compromised SIEMs blind defenders to broader breaches.

Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.

Cyber Security News Tags:, , , , , ,

Related Posts

Hackers Can Bypass OpenAI Guardrails Framework Using a Simple Prompt Injection Technique Cyber Security News
Researchers Uncover Link Between Belsen and ZeroSeven Cybercriminal Groups Cyber Security News
NVIDIA Container Toolkit Vulnerability Allows Elevated Arbitrary Code Execution Cyber Security News
Microsoft To Mandate MFA for Accounts Signing In to the Azure Portal Cyber Security News
28,000 Microsoft Exchange Servers Vulnerable to CVE-2025-53786 Exposed Online Cyber Security News
Hackers Attempted to Misuse Claude AI to Launch Cyber Attacks Cyber Security News