Fortinet has patched a critical vulnerability (CVE-2025-64155) in FortiSIEM that allows unauthenticated attackers to execute arbitrary code and escalate privileges to root. Affected users must update immediately.
Fortinet has released critical updates addressing a severe vulnerability in its FortiSIEM security information and event management solution. Tracked as CVE-2025-64155 with a CVSS score of 9.4, this OS command injection flaw enables unauthenticated attackers to execute arbitrary commands on vulnerable systems through specially crafted TCP requests targeting the phMonitor service.
Horizon3.ai researcher Zach Hanley, who discovered and reported the flaw, explained the exploit chain involves two critical components: First, an unauthenticated argument injection vulnerability allows attackers to write arbitrary files to the system with admin privileges. Second, a privilege escalation mechanism leverages a cron job that executes a writable script (/opt/charting/redishb.sh) every minute with root permissions. By injecting a reverse shell into this script, attackers gain complete control of the appliance.
The vulnerability specifically affects FortiSIEM's phMonitor service (TCP port 7900), which handles health monitoring and inter-node communication. Crucially, this service exposes multiple command handlers without requiring authentication, meaning any network access to port 7900 is sufficient for exploitation.
Affected Versions and Updates
Fortinet recommends immediate action for these versions:
- FortiSIEM 6.7.0 - 6.7.10: Migrate to fixed release
- FortiSIEM 7.0.0 - 7.0.4: Migrate to fixed release
- FortiSIEM 7.1.0 - 7.1.8: Upgrade to 7.1.9+
- FortiSIEM 7.2.0 - 7.2.6: Upgrade to 7.2.7+
- FortiSIEM 7.3.0 - 7.3.4: Upgrade to 7.3.5+
- FortiSIEM 7.4.0: Upgrade to 7.4.1+
Super and Worker nodes are vulnerable; Horizon and Collector nodes are unaffected. As a temporary workaround, organizations should restrict network access to port 7900.
Additional Critical Fix
Fortinet also patched CVE-2025-47855 (CVSS 9.3) in FortiFone, which could expose device configurations via unauthenticated HTTP(S) requests. Affected versions:
- FortiFone 3.0.13 - 3.0.23: Upgrade to 3.0.24+
- FortiFone 7.0.0 - 7.0.1: Upgrade to 7.0.2+
Security teams managing Fortinet products should prioritize these updates, as both vulnerabilities enable significant system compromise with low attack complexity. Administrators can reference Fortinet's advisory portal for detailed mitigation guidance.
Comments
Please log in or register to join the discussion