Fortinet has released an update that fixes a critical security flaw affecting FortiSIEM that could allow an unauthenticated attacker to execute code on a susceptible instance.
The operating system (OS) injection vulnerability tracked as CVE-2025-64155 is rated 9.4 out of 10.0 on the CVSS scoring system.
“Improper Disabling of Special Elements Used in OS Commands (“OS Command Injection”) Vulnerability” [CWE-78] “FortiSIEM could allow an unauthenticated attacker to execute malicious code or commands via a crafted TCP request,” the company said in a Tuesday bulletin.
Fortinet said the vulnerability only affects supernodes and worker nodes and is being addressed in the next version.
FortiSIEM 6.7.0 – 6.7.10 (migration to fixed release) FortiSIEM 7.0.0 – 7.0.4 (migration to fixed release) FortiSIEM 7.1.0 – 7.1.8 (upgrade to 7.1.9 or later) FortiSIEM 7.2.0 – 7.2.6 (upgrade to 7.2.7 or later) FortiSIEM 7.3.0 ~ 7.3.4 (upgrade to 7.3.5 or later) FortiSIEM 7.4.0 (upgrade to 7.4.1 or later) FortiSIEM 7.5 (not affected) FortiSIEM Cloud (not affected)
Zach Hanley, a security researcher at Horizon3.ai who is credited with discovering and reporting the flaw on August 14, 2025, said the flaw consists of two moving parts.
An unauthenticated argument injection vulnerability that can cause arbitrary file writes and remote code execution as an administrator user A file overwrite privilege escalation vulnerability that can lead to root access and fully compromise the appliance
Specifically, this issue concerns how FortiSIEM’s phMonitor service, a critical backend process responsible for health monitoring, task distribution, and inter-node communication over TCP port 7900, handles incoming requests related to logging security events to Elasticsearch.
This calls a shell script with user-controlled parameters, opens the door to argument insertion via curl, and achieves writing arbitrary files to disk in the context of an administrative user.
Armed with this limited file writing, a complete system takeover can be achieved. Armed with curl argument injection, you can write a reverse shell to ‘/opt/charting/redishb.sh’. This file is writable by the administrator user and is run every minute by the appliance by a cron job that runs with root-level permissions.
In other words, writing a reverse shell to this file allows privilege escalation from administrator to root, giving the attacker unfettered access to the FortiSIEM appliance. The most important aspect of this attack is that the phMonitor service exposes several command handlers that do not require authentication. This allows an attacker to easily call these functions simply by gaining network access to port 7900.
Fortinet also shipped a fix for another critical security vulnerability in FortiFone (CVE-2025-47855, CVSS score: 9.3). This could allow an unauthenticated attacker to obtain device settings via a specially crafted HTTP(S) request to a web portal page. This affects the following versions of the Enterprise Communications Platform:
FortiFone 3.0.13 – 3.0.23 (upgrade to 3.0.24 or later) FortiFone 7.0.0 – 7.0.1 (upgrade to 7.0.2 or later) FortiFone 7.2 (not affected)
We recommend users update to the latest version for optimal protection. As a workaround for CVE-2025-64155, Fortinet recommends customers restrict access to the phMonitor port (7900).
Source link
