Critical Fortinet Flaw Actively Exploited by Hackers

A critical security vulnerability within Fortinet’s FortiSIEM platform is now under active exploitation by malicious actors, posing a significant risk to organizations using the affected software. The flaw, identified as CVE-2025-64155, allows attackers to execute arbitrary commands and gain complete control over systems without requiring any authentication. Security updates are available, and immediate patching is strongly advised.

The issue stems from a combination of two weaknesses that enable arbitrary writes with administrative privileges and subsequent escalation to full root access. Fortinet describes it as an OS command injection vulnerability within FortiSIEM, where crafted TCP requests from an unauthenticated attacker can trigger unauthorized command execution. The company released patches to address this critical flaw.

Technical analysis from Horizon3.ai reveals the root cause: the phMonitor service exposes dozens of command handlers that can be remotely invoked without any login credentials. The firm has published proof-of-concept exploit code demonstrating how an attacker can abuse an argument injection to overwrite a specific system file, ultimately achieving code execution with the highest level of permissions.

This vulnerability impacts FortiSIEM versions ranging from 6.7 up to 7.5. To secure their environments, users must upgrade to a fixed release. Specifically, organizations should move to FortiSIEM version 7.4.1 or later, 7.3.5 or later, 7.2.7 or later, or 7.1.9 or later. Those running versions 7.0.0 through 7.0.4 or 6.7.0 through 6.7.10 are instructed to migrate entirely to a patched release.

For administrators unable to apply the security updates immediately, Fortinet provided a temporary mitigation strategy. This workaround involves restricting access to the phMonitor service port, which is TCP port 7900, to help block potential attack vectors.

Despite the availability of patches, the threat has escalated rapidly. Threat intelligence company Defused reported observing active, targeted exploitation of CVE-2025-64155 in real-world attacks through its monitoring systems. This confirmation indicates that hackers are actively leveraging the flaw to breach networks.

To assist security teams in identifying potential compromises, Horizon3.ai has shared indicators of compromise. Defenders can examine their systems by checking the phMonitor message logs located at `/opt/phoenix/log/phoenix.logs`. They should look for suspicious payload URLs within log lines that contain PHL_ERROR entries, which may signal malicious activity.

Fortinet has not yet updated its official advisory to reflect the active exploitation reports. The company’s response to inquiries about these incidents was not immediately available.

This event continues a concerning pattern of Fortinet product vulnerabilities being exploited. Late last year, attackers targeted a FortiWeb zero-day flaw, followed by the discovery of a second, silently patched FortiWeb zero-day exploited in widespread attacks. Furthermore, earlier this year, it was revealed that the Chinese state-sponsored group Volt Typhoon used two older FortiOS vulnerabilities to implant persistent malware on a Dutch military network, highlighting the persistent attention these products receive from advanced threat actors.

(Source: Bleeping Computer)