Critical FortiSIEM Flaw: Exploit Code Now Public
▼ Summary
– A critical vulnerability (CVE-2025-25256) in Fortinet’s FortiSIEM allows unauthenticated remote attackers to execute arbitrary commands or code.
– The flaw stems from exposed command handlers in the phMonitor service, a recurring entry point for past FortiSIEM vulnerabilities exploited by groups like Black Basta.
– Fortinet has released patches for supported versions (6.7 to 7.4), but unsupported versions 7.0 and 6.7.0 will not receive a fix.
– Researchers at Horizon3.ai published technical details and a proof-of-concept exploit after Fortinet issued fixes and an advisory.
– The recommended mitigation is to patch immediately or, as a temporary workaround, restrict access to the phMonitor service on port 7900.
A critical vulnerability in Fortinet’s FortiSIEM platform now has public exploit code available, posing a significant risk to organizations that have not yet applied the necessary patches. This security flaw, identified as CVE-2025-25256, enables a remote attacker without any credentials to execute arbitrary commands and escalate privileges to gain full administrative control over affected systems. The issue stems from a combination of weaknesses that allow unauthorized writing with admin rights followed by a complete takeover with root access.
Security researchers from Horizon3.ai discovered and reported the problem in August 2025. Fortinet released fixes for most of the product’s development branches by early November, confirming this week that patches are now available for all supported versions facing the threat. The company officially classifies the vulnerability as an improper neutralization flaw within the OS command function, which could be triggered by specially crafted TCP requests from an unauthenticated source.
The technical analysis points to the phMonitor service as the root cause. This service exposes numerous command handlers that can be remotely activated without requiring login credentials. Experts note that this same component has been a recurring weak spot, linked to previous critical vulnerabilities such as CVE-2023-34992 and CVE-2024-23108. The continued exploitation of this service has drawn attention from sophisticated threat actors, including ransomware operations like Black Basta, which have actively targeted similar weaknesses in the past.
Following Fortinet’s publication of an advisory and corresponding fixes, Horizon3.ai has released a detailed write-up alongside functional exploit code. This public disclosure aims to underscore the urgency for remediation while providing defenders with the information needed to detect attacks.
The vulnerability affects a wide range of FortiSIEM versions, specifically from 6.7 through 7.5. Patched versions are now available for the following releases:
- FortiSIEM 7.4.1 or above
- FortiSIEM 7.3.5 or above
- FortiSIEM 7.2.7 or above
- FortiSIEM 7.1.9 or above
It is crucial to note that versions 7.0 and 6.7.0 are also vulnerable but reside outside the vendor’s support lifecycle, meaning they will not receive an official patch. Fortinet has clarified that the newer FortiSIEM 7.5 and FortiSIEM Cloud offerings are not impacted by this particular flaw.
For administrators who cannot implement the update immediately, the sole recommended mitigation is to restrict network access to the phMonitor service port, which is TCP 7900. This can help block unauthenticated remote exploitation attempts until a permanent patch is applied.
To assist with threat hunting, Horizon3.ai has provided indicators of compromise. Organizations should scrutinize their system logs, specifically the file at `/opt/phoenix/log/phoenix.logs`. Any log line containing ‘PHL_ERROR’ that also references a URL payload and a destination file path could signal an active compromise attempt leveraging this vulnerability.
(Source: Bleeping Computer)
