4 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
FortiSIEM OS Command Injection Vulnerability
CVSS Score: 9.8 (Critical)
Identifier: CVE-2025-25256
Exploit or POC: Yes – Practical exploit code exists in the wild
Update: CVE-2025-25256 – Fortinet Security Advisory
Description: CVE-2025-25256 is a severe command injection flaw in Fortinet FortiSIEM. An unauthenticated, remote attacker can exploit this vulnerability by sending specially crafted CLI requests that inject arbitrary operating system commands—without needing credentials or user interaction. Fortinet has confirmed that exploit code is circulating in the wild, heightening the risk of rapid and widespread abuse.
Affected Versions:
- FortiSIEM 6.1 through 6.7.9
- FortiSIEM 7.0.0 through 7.3.1
Older versions in the 5.x branch are also impacted
Mitigation Recommendation:
Immediately upgrade to one of the patched versions:
- FortiSIEM 6.7.10 or later
- FortiSIEM 7.0.4 or later
- FortiSIEM 7.1.8 or later
- FortiSIEM 7.2.6 or later
- FortiSIEM 7.3.2 or later
If updates cannot be applied immediately, restrict network access to the phMonitor port (TCP/7900) to trusted internal sources only.
Monitor logs for anomalous CLI usage indicative of command injection attempts.
Isolate FortiSIEM deployments from internet-facing segments and ensure monitoring systems are not compromised.
