CVE-2025-64155: Critical Unauthenticated Remote Code Execution in Fortinet FortiSIEM

CyberDefender 3 mins0

CVE-2025-64155 is a critical remote code execution (RCE) vulnerability affecting Fortinet’s FortiSIEM security information and event management (SIEM) appliance. It stems from an OS command injection flaw, allowing attackers to execute arbitrary commands on the target system without authentication.

Technical Details

  • Vulnerability Type: OS Command Injection (CWE-78) — improper neutralization of special elements used in OS commands.
  • Affected Service: The phMonitor service in FortiSIEM, which exposes internal command handlers over TCP without requiring authentication.
  • Attack Vector: Network — remote exploitation via crafted TCP requests.
  • Privileges Required: None (unauthenticated).
  • Impact:
    • Leads to unauthorized command execution and arbitrary code execution on the FortiSIEM appliance.
    • An attacker can write arbitrary files, enabling remote code execution at the admin level and, through privilege escalation techniques (e.g., modifying admin-writable scripts executed by root), achieve root access and full system compromise.

Severity

  • CVSS Score: Critically rated (around 9.4–9.8 / 10) in current assessments.
  • Confidentiality, Integrity & Availability Impact: All high — meaning exploitation can lead to sensitive data exposure, system modification, and service disruption.

Affected Products & Versions

FortiSIEM versions that are vulnerable include:

  • 6.7.0 through 6.7.10
  • 7.0.0 through 7.0.4
  • 7.1.0 through 7.1.8
  • 7.3.0 through 7.3.4
  • 7.4.0
    (Administrators should verify their exact build numbers against Fortinet advisories.)

Mitigation and Remediation

Patch and Upgrade:
Fortinet has released updates that fix CVE-2025-64155. Administrators should apply these patches immediately to affected FortiSIEM deployments.

Temporary Workarounds:
While patches are the preferred solution, Fortinet also recommends restricting access to the phMonitor TCP port (7900) using network controls (e.g., firewall rules) until fixes are applied.

Why This Matters

FortiSIEM is a critical security monitoring platform used by many enterprises. With this vulnerability:

  • No authentication is required for exploitation.
  • Attackers could fully compromise the appliance, potentially tamper with security event data and logs, and use the platform as a foothold for further attacks within the network.

CyberDefender