CVE-2025-64155 | Fortinet FortiSIEM

Horizon3.ai identified a zero-day remote code execution vulnerability affecting Fortinet FortiSIEM and responsibly disclosed it to Fortinet in August 2025. The vulnerability allows unauthenticated attackers with network access to a core FortiSIEM service to gain full administrative control of the appliance and escalate privileges to root. Fortinet has published a security advisory (FG-IR-25-772) and assigned this issue CVE-2025-64155, releasing patches that address this vulnerability for affected FortiSIEM releases. All versions of FortiSIEM 7.4 and below are affected. FortiSIEM Cloud is not affected.

While many deployments are not directly internet-facing, any instance where the vulnerable service is reachable should be considered at immediate risk due to the severity of impact. CVE-2025-64155 is a remote code execution vulnerability caused by improper neutralization of user-supplied input to an unauthenticated API endpoint exposed by the FortiSIEM phMonitor service. This service exposes a large set of command handlers that can be invoked remotely without authentication. The vulnerability allows argument injection into a curl invocation via crafted parameters, enabling an attacker to influence execution flow. This allows an unauthenticated attacker to write arbitrary files to arbitrary locations on the FortiSIEM appliance in the context of the FortiSIEM admin user.

By overwriting binaries or scripts that are executed on a recurring basis, the attacker can achieve reliable remote code execution. After achieving code execution as the admin user, attackers can escalate privileges to root, resulting in complete control of the FortiSIEM system. Instances are exploitable when network access to the FortiSIEM phMonitor service, which listens by default on TCP port 7900, is present. No authentication is required to exploit this vulnerability once the service is reachable.

Fortinet published updates that address this vulnerability under advisory FG-IR-25-772. Customers should upgrade to the fixed FortiSIEM builds as soon as possible. Versions 7.3.2 and later, 7.2.6 and later, 7.1.8 and later, 7.0.4 and later, and 6.7.10 and later contain the fix. Until all systems can be updated, organizations should immediately reduce exposure by implementing network or host-based firewall rules to restrict access to the FortiSIEM server. Specifically, block or tightly limit access to the phMonitor service on TCP port 7900 and ensure FortiSIEM services are only reachable from trusted administrative networks. The vulnerabilities were discovered and reported to Fortinet PSIRT on 14 August 2025, with fixes released and coordinated disclosure occurring on 13 January 2026.

To read the complete article see: Horizon3.ai