Critical FortiSIEM Exploit Released: CVE-2025-64155 PoC
▼ Summary
– A critical vulnerability (CVE-2025-64155) in Fortinet’s FortiSIEM allows unauthenticated remote attackers to execute arbitrary code via crafted TCP requests.
– The flaw targets the phMonitor service, enabling attackers to write and execute code as the root user, turning the security platform into a launchpad for further attacks.
– Fortinet has released patches, advising users to upgrade to specific fixed versions or, if not possible, to restrict access to the phMonitor port (7900).
– The vulnerability affects Supervisor and Worker nodes but not Collector nodes, FortiSIEM Cloud, or FortiSIEM version 7.5.
– Defenders can check system logs for specific PHL_ERROR entries containing attacker-supplied URLs and file paths as indicators of compromise.
A critical security flaw in Fortinet’s FortiSIEM platform now has publicly available exploit code, significantly increasing the risk for organizations that have not yet applied the patch. The vulnerability, tracked as CVE-2025-64155, enables unauthenticated remote attackers to execute arbitrary code on affected systems through specially crafted TCP requests. This development transforms the issue from a theoretical threat into an immediate and active danger, demanding urgent attention from security teams worldwide.
The flaw specifically targets the phMonitor service, a core component often described as the platform’s nervous system. By exploiting this weakness, an attacker can write malicious code into a file that the system then executes with root-level privileges. This provides complete control over the compromised device. A security researcher explained that the exploit effectively turns a company’s central security monitoring tool into a covert launchpad for further attacks across the network.
Discovered by a researcher at Horizon3.ai, the vulnerability was privately reported to Fortinet, which has since released fixes. Customers are strongly advised to upgrade their installations to a patched version immediately. The fixed releases include FortiSIEM v7.4.1 or later, 7.3.5 or later, 7.2.7 or later, and 7.1.9 or later. Organizations still running versions 7.0.x or 6.7.x must migrate to one of these supported and secured releases.
For administrators who cannot apply the update immediately, a crucial temporary mitigation is available: restricting network access to the phMonitor service port, which is TCP port 7900. It is important to note that this vulnerability does not impact FortiSIEM Cloud or version 7.5 installations. Furthermore, within a typical deployment, Supervisor and Worker nodes are vulnerable, but Collector nodes responsible for log ingestion remain unaffected.
Investigators found this latest flaw while examining a previously patched issue, CVE-2025-25256, for which exploit code had already been observed in active attacks. Unlike its predecessor, exploitation of CVE-2025-64155 does leave detectable traces in system logs. Security teams should monitor for suspicious activity, particularly looking for PHL_ERROR entries within phMonitor logs. These entries may contain unusual URLs or file paths that an attacker uses to deliver and write a malicious payload to the system.
(Source: HelpNet Security)
