Fortinet Patches Critical FortiSIEM Vulnerability Enabling Unauthenticated Remote Code Execution

Fortinet has issued patches to address a critical vulnerability in FortiSIEM that could allow unauthenticated attackers to execute arbitrary code on affected systems.
The flaw, identified as CVE-2025-64155, is an OS command injection vulnerability rated 9.4 on the CVSS scale. According to Fortinet’s advisory, the issue stems from improper handling of special elements in OS commands (CWE-78), enabling attackers to send crafted TCP requests to execute unauthorized commands.

The vulnerability impacts only Super and Worker nodes and has been resolved in the following versions:

• FortiSIEM 6.7.0 – 6.7.10: Migrate to a fixed release
• FortiSIEM 7.0.0 – 7.0.4: Migrate to a fixed release
• FortiSIEM 7.1.0 – 7.1.8: Upgrade to 7.1.9 or later
• FortiSIEM 7.2.0 – 7.2.6: Upgrade to 7.2.7 or later
• FortiSIEM 7.3.0 – 7.3.4: Upgrade to 7.3.5 or later
• FortiSIEM 7.4.0: Upgrade to 7.4.1 or later
• FortiSIEM 7.5 and FortiSIEM Cloud: Not affected

Security researcher Zach Hanley of Horizon3.ai, credited with discovering the flaw on August 14, 2025, explained that the exploit involves two components:

• An unauthenticated argument injection vulnerability enabling arbitrary file writes and remote code execution as an admin user.
• A privilege escalation flaw allowing attackers to overwrite files and gain root access, fully compromising the appliance.

The issue lies in FortiSIEM’s phMonitor service, which handles health monitoring and inter-node communication via TCP port 7900. Crafted requests trigger a shell script with user-controlled parameters, allowing argument injection through curl and arbitrary file writes. Attackers can escalate privileges by writing a reverse shell to /opt/charting/redishb.sh, a file executed every minute by a root-level cron job, granting full system control.
Because phMonitor exposes unauthenticated command handlers, attackers only need network access to port 7900 to exploit the flaw.
Fortinet also patched another critical vulnerability in FortiFone (CVE-2025-47855, CVSS 9.3), which could allow unauthenticated attackers to retrieve device configurations via crafted HTTP(S) requests to the Web Portal. Affected versions include:

• FortiFone 3.0.13 – 3.0.23: Upgrade to 3.0.24 or later
• FortiFone 7.0.0 – 7.0.1: Upgrade to 7.0.2 or later
• FortiFone 7.2: Not affected

Fortinet recommends updating to the latest versions immediately. As a temporary workaround for CVE-2025-64155, customers should restrict access to TCP port 7900.

Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.