A critical vulnerability in the Fortinet Security Information and Event Management (SIEM) solution for which technical details and a public exploit have been published could allow a remote, unauthenticated attacker to execute commands or code.
The vulnerability, tracked as CVE-2025-64155, is a combination of two issues that permit arbitrary write with admin permissions and elevation of privilege to root access.
Researchers at penetration testing company Horizon3.ai reported the security issue in mid August 2025; however, it was fixed only on January 13, 2026.
Fortinet describes the CVE-2025-64155 vulnerability as "an improper neutralization of special elements used in an OS command vulnerability in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests."
Horizon3.ai said in a detailed write up, "The exposure of dozens of unauthenticated, remote invokable command handlers on the phMonitor service is the root cause."
They also cited the usage of the service to gain entry to several vulnerabilities in the FortiSIEM system, including CVE-2023-34992 and CVE-2024-23108, to support the fact that the likes of the Black Basta ransomware gang have genuinely been interested in exploiting these vulnerabilities in the past.
Apart from the details concerning the CVE-2025-64155 exploit, a PoC exploit has been made public by the research community. In regard to this particular exploit, in view of the fact that a correction of the issue has already been published by the vendor in a security advisory, a decision was taken to make a public exploit.
This vulnerability exists within FortiSIEM firmware versions 6.7 through 7.5, and patches are available to support firmware versions:
🔹FortiSIEM 7.4.1 or above
🔹FortiSIEM 7.3.5 or above
🔹FortiSIEM 7.2.7 or above
🔹FortiSIEM 7.1.9 or above,
It also affects versions FortiSIEM 7.0 and 6.7.0. However, these versions are no longer supported, and as such, none of them will get a patch for the CVE-2025-64155 vulnerability. According to Fortinet, this vulnerability does not exist for FortiSIEM 7.5 and for FortiSIEM Cloud
The only workaround the vendor can offer for those who cannot immediately apply the security update is to restrict access to the phMonitor port (7900). Horizon3.ai have also shared indicators of compromise that may be helpful in finding the compromised systems. Looking at the logs for the messages received by phMonitor (/opt/phoenix/log/phoenix.logs) the line with 'PHL_ERROR' should include the URL for the payload and the file it is written to.
👉🏻 Found this article interesting? Follow us on Facebook, Twitter and whatsapp to read more exclusive content we post.
