Fortinet FortiSIEM Vulnerability CVE-2025-64155 Actively Exploited in Attacks

Posted on By CWS

Fortinet FortiSIEM vulnerability CVE-2025-64155 is underneath lively exploitation, as confirmed by Defused by means of their honeypot deployments.

This important OS command injection flaw allows unauthenticated distant code execution, posing extreme dangers to enterprise safety monitoring methods.

CVE-2025-64155 stems from improper neutralization of particular components in OS instructions throughout the FortiSIEM phMonitor service, which handles inside information alternate throughout Tremendous and Employee nodes.

Attackers ship crafted TCP requests to port 7900, concentrating on storage configuration endpoints with an elastic kind set, injecting arguments right into a curl command by way of XML payloads for arbitrary file writes because the admin consumer.

A chained privilege escalation permits root entry by overwriting executed binaries.

Proof-of-concept code is public on GitHub, demonstrating full RCE chains. Fortinet’s advisory confirms no affect on Cloud or Collector nodes.

Product VersionAffected RangeFixed Model fortiguard+1​FortiSIEM 6.76.7.0 by means of 6.7.10Migrate to a set releaseFortiSIEM 7.07.0.0 by means of 7.0.4Migrate to a set releaseFortiSIEM 7.17.1.0 by means of 7.1.87.1.9 or aboveFortiSIEM 7.27.2.0 by means of 7.2.67.2.7 or aboveFortiSIEM 7.37.3.0 by means of 7.3.47.3.5 or aboveFortiSIEM 7.47.4.07.4.1 or aboveFortiSIEM 7.5Not affectedN/AFortiSIEM CloudNot affectedN/A

Defused detected focused assaults hitting honeypots shortly after patch launch, with payloads embedding second-stage infrastructure in injection strings.

Exploit makes an attempt log in /choose/phoenix/log/phoenix.log as PHL_ERROR entries exhibiting attacker URLs and file paths. The flaw’s unauthenticated nature and SIEM publicity amplify dangers, enabling log tampering, information exfiltration, or lateral motion.

Lively Exploitation (Supply: Defused)

Current indicators of compromise from Defused scans embrace:

IP AddressASN/Group 167.17.179[.]109Baxet Group Inc.103.224.84[.]76Siamdata Communication209.126.11[.]25Contabo120.231.127[.]227China Cell Communications Group129.226.190[.]169Tencent220.181.41[.]80IDC, China Telecommunications Company

Pattern payloads mimic elastic storage configs, like XML with cluster names (“test-cluster”), reproduction counts (4), and elasticsearch service checks, injecting by way of shard quantity or URI params. No CISA KEV itemizing but, however 23 prior Fortinet flaws are actively exploited.

Organizations should improve Tremendous/Employee nodes instantly per Fortinet’s advisory. Block exterior entry to TCP 7900 as a workaround. Monitor phMonitor logs for anomalies and scan for IOCs utilizing EDR instruments.

Fortinet urges prioritization given PoC availability and historic concentrating on. Enterprises counting on FortiSIEM for risk detection face irony: compromised SIEMs blind defenders to broader breaches.

Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.

Cyber Security News Tags:, , , , , ,

Related Posts

U.S. DOJ Charged 54 in Connection With ATM Hacking Attack by Deploying Ploutus Malware Cyber Security News
LunaLock Ransomware Attacking Artists to Steal and Encrypt Data Cyber Security News
Spotify Launches Direct Message Feature for Music Sharing, What are the Risks Associated? Cyber Security News
Threat Actors Allegedly Listed Windows Zero-Day RCE Exploit For Sale on Dark Web Cyber Security News
Hackers Actively Attacking Cisco and Palo Alto Networks VPN Gateways to Gain Login Access Cyber Security News
Kimwolf Botnet Hacked 2 Million Devices and Turned User’s Internet Connection as Proxy Node Cyber Security News