6 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2025-64155 is a critical unauthenticated operating system command injection vulnerability in Fortinet FortiSIEM, affecting the phMonitor service. Due to improper input validation, a remote unauthenticated attacker with network access to the service, commonly exposed on TCP port 7900, can send specially crafted requests that are interpreted as OS commands and executed by the underlying system. Successful exploitation enables full remote command execution and may lead to complete compromise of FortiSIEM Manager, Worker, or Collector nodes.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Unauthenticated OS Command Injection in Fortinet FortiSIEM
CVSS Score: 9.8 (Critical, CVSS v3.1)
Identifier: CVE-2025-64155
Exploit or Proof of Concept (PoC):
Public proof-of-concept exploit code is available demonstrating unauthenticated remote command execution against vulnerable FortiSIEM deployments.
Update/ Patch:
Fortinet has released an official PSIRT advisory and patches for CVE-2025-64155:
https://www.fortiguard.com/psirt/FG-IR-25-772
Affected and fixed versions include:
- FortiSIEM 7.4.0 → upgrade to 7.4.1 or above
- FortiSIEM 7.3.0 through 7.3.4 → upgrade to 7.3.5 or above
- FortiSIEM 7.2.0 through 7.2.6 → upgrade to 7.2.7 or above
- FortiSIEM 7.1.0 through 7.1.8 → upgrade to 7.1.9 or above
- FortiSIEM 7.0.x and 6.7.x → migrate to a supported, patched release
Administrators must ensure all FortiSIEM Manager, Worker, and Collector nodes are upgraded to fixed builds and verify version levels after patching.
Description:
CVE-2025-64155 is an operating system command injection vulnerability in the FortiSIEM phMonitor service caused by improper input validation. An unauthenticated attacker with network access to the service (commonly TCP port 7900) can send specially crafted requests that are interpreted as OS commands and executed by the underlying system.
Mitigation Recommendation:
Immediately apply the Fortinet PSIRT-recommended updates as detailed in advisory FG-IR-25-772.
Restrict network access to the phMonitor service (TCP 7900) to trusted internal management networks only and block exposure from untrusted or internet-facing segments.
Review firewall rules and network segmentation to ensure FortiSIEM services are not reachable from user or DMZ networks.
Monitor FortiSIEM application logs and host OS logs for unusual inbound connections, unexpected process execution, and abnormal command activity.
