Critical FortiSIEM Flaw Patched: Remote Code Execution Risk

A critical security vulnerability in Fortinet’s FortiSIEM platform has been patched, addressing a severe risk that could let attackers remotely execute code without needing any login credentials. This flaw, identified as CVE-2025-64155, carries a high severity rating of 9.4 out of 10. According to the company’s advisory, the issue stems from improper neutralization of special elements in an OS command, a classic OS command injection weakness. An unauthenticated attacker could exploit this by sending specially crafted TCP requests to execute unauthorized commands on vulnerable systems.

The vulnerability specifically targets Super and Worker nodes within FortiSIEM deployments. Fortinet has released fixes across multiple product versions. Affected users must migrate or upgrade their installations immediately. The impacted versions include FortiSIEM 6.7.0 through 6.7.10, 7.0.0 through 7.0.4, 7.1.0 through 7.1.8, 7.2.0 through 7.2.6, 7.3.0 through 7.3.4, and 7.4.0. Updates are available for each branch, while versions 7.5 and FortiSIEM Cloud remain unaffected.

Security researcher Zach Hanley of Horizon3.ai discovered and reported the flaw in mid-August 2025. His analysis reveals the vulnerability involves two distinct stages that together enable complete system compromise. The first part is an unauthenticated argument injection flaw that results in arbitrary file writing with admin user privileges. The second is a file overwrite privilege escalation mechanism that ultimately grants root access, leading to total control of the appliance.

The technical root cause lies within FortiSIEM’s phMonitor service. This essential backend component handles health checks, task distribution, and communication between nodes using TCP port 7900. When processing certain requests for logging security events to Elasticsearch, the service calls a shell script. Attackers can inject malicious arguments into this process, primarily through the curl command, which allows them to write arbitrary files to the disk with admin-level permissions.

This initial file write capability is powerful but limited. Attackers can weaponize it by exploiting the curl argument injection to place a reverse shell into a specific file path: /opt/charting/redishb.sh. This file is writable by the admin user and is executed automatically every minute by a cron job running with full root permissions. By writing a malicious payload here, an attacker escalates privileges from admin to root, achieving unfettered access. A key factor enabling this attack is that the phMonitor service exposes several command handlers that do not require any authentication. This means any attacker with network access to port 7900 can invoke these functions directly.

As an interim workaround, Fortinet advises customers to restrict access to the phMonitor port (7900). However, applying the official security updates is the definitive solution for complete protection. In a related development, Horizon3.ai has published a proof-of-concept exploit demonstrating how remote, unauthenticated attackers can leverage CVE-2025-64155 to execute arbitrary code and take over an appliance.

Fortinet also addressed another separate critical vulnerability in its FortiFone enterprise communications platform, tracked as CVE-2025-47855 with a CVSS score of 9.3. This flaw could allow an unauthenticated attacker to obtain sensitive device configuration information via a specially crafted request to the Web Portal page. Affected versions include FortiFone 3.0.13 through 3.0.23 and 7.0.0 through 7.0.1, which require upgrading to newer patched releases. System administrators are strongly urged to apply all relevant updates promptly to secure their network environments against these serious threats.

(Source: The Hacker News)