Fortinet Warns of FortiSIEM Bug Exploitable via Crafted TCP Requests

Fortinet has released updates to fix a critical security flaw affecting FortiSIEM that could allow an unauthenticated attacker to achieve remote code execution on vulnerable instances.

Specifically, the operating system (OS) injection vulnerability, tracked as CVE-2025-64155, carries a severity rating of 9.4 out of 10.0 on the CVSS scoring system.

“An improper neutralization of special elements used in an OS command (‘OS command injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests,” the company said in a Tuesday bulletin.

Affected FortiSIEM Components and Versions

According to Fortinet, the vulnerability impacts only Super and Worker nodes. The company has addressed the issue across the following FortiSIEM versions:

• FortiSIEM 6.7.0 through 6.7.10 (Migrate to a fixed release)
• FortiSIEM 7.0.0 through 7.0.4 (Migrate to a fixed release)
• FortiSIEM 7.1.0 through 7.1.8 (Upgrade to 7.1.9 or above)
• FortiSIEM 7.2.0 through 7.2.6 (Upgrade to 7.2.7 or above)
• FortiSIEM 7.3.0 through 7.3.4 (Upgrade to 7.3.5 or above)
• FortiSIEM 7.4.0 (Upgrade to 7.4.1 or above)
• FortiSIEM 7.5 (Not affected)
• FortiSIEM Cloud (Not affected)

Technical Breakdown of CVE-2025-64155

Meanwhile, Horizon3.ai security researcher Zach Hanley, who discovered and reported the flaw on August 14, 2025, explained that the vulnerability consists of two distinct components:

• An unauthenticated argument injection vulnerability that enables arbitrary file writes, ultimately allowing remote code execution as the admin user
• A file overwrite privilege escalation vulnerability that results in root access and fully compromises the appliance

More precisely, the issue stems from how FortiSIEM’s phMonitor service handles incoming requests related to logging security events to Elasticsearch. This critical backend process manages health monitoring, task distribution, and inter-node communication over TCP port 7900.

How Attackers Can Achieve Full System Compromise

As a result, the phMonitor service invokes a shell script using user-controlled parameters. This behavior opens the door to argument injection via curl and enables arbitrary file writes to disk under the context of the admin user.

Attackers can then weaponize this limited file write to achieve a full system takeover. By abusing the curl argument injection, an attacker can write a reverse shell to /opt/charting/redishb.sh, a file writable by the admin user and executed every minute by the appliance through a cron job running with root-level permissions.

In other words, writing a reverse shell to this file allows privilege escalation from admin to root, granting the attacker complete control over the FortiSIEM appliance. Most importantly, the phMonitor service exposes several command handlers that do not require authentication. Consequently, an attacker can invoke these functions simply by gaining network access to port 7900.

Additional Fortinet Fixes and Mitigation Guidance

In addition to the FortiSIEM updates, Fortinet has also released fixes for another critical vulnerability affecting FortiFone. The flaw, tracked as CVE-2025-47855 and rated 9.3 on the CVSS scale, could allow an unauthenticated attacker to obtain device configuration data through a specially crafted HTTP(S) request to the Web Portal page.

The vulnerability impacts the following versions of the enterprise communications platform:

• FortiFone 3.0.13 through 3.0.23 (Upgrade to 3.0.24 or above)
• FortiFone 7.0.0 through 7.0.1 (Upgrade to 7.0.2 or above)
• FortiFone 7.2 (Not affected)

Finally, Fortinet advises users to update to the latest versions for optimal protection. As a workaround for CVE-2025-64155, the company also recommends that customers restrict access to the phMonitor service on port 7900.

Source: TheHackerNews

Read more at Impreza News