Executive Summary

A critical vulnerability in Fortinet FortiSIEM (CVE-2025-64155) has been identified, enabling unauthenticated remote code execution (RCE) through a command injection flaw in the phMonitor service. This vulnerability, with a CVSS score of 9.8, is being actively exploited in the wild, and public proof-of-concept (PoC) code is readily available. The flaw allows attackers to gain root-level access, potentially leading to full system compromise, lateral movement, data exfiltration, and ransomware deployment. Immediate patching and mitigation are essential for all organizations running affected versions of Fortinet FortiSIEM.

Technical Information

CVE-2025-64155 is an OS command injection vulnerability (CWE-78) in the phMonitor service of Fortinet FortiSIEM. The flaw arises from improper neutralization of special elements in OS commands processed by the API, specifically on TCP port 7900. An unauthenticated attacker can send specially crafted TCP requests to this service, resulting in arbitrary command execution as the root user on the target system.

The attack vector is network-based and does not require authentication, making exploitation trivial for remote adversaries. The impact is severe: successful exploitation grants attackers full administrative control, enabling them to execute arbitrary commands, install persistent backdoors, exfiltrate sensitive data, and deploy ransomware or other malware.

The vulnerability affects Fortinet FortiSIEM versions 6.7.0 through 6.7.10, 7.0.0 through 7.0.4, 7.1.0 through 7.1.8, 7.2.0 through 7.2.6, 7.3.0 through 7.3.4, and 7.4.0. FortiSIEM Cloud, version 7.5, and patched versions above those listed are not affected.

Technical exploitation involves argument injection via the phMonitor service. Attackers can leverage a public PoC, such as the one released by Horizon3.ai on GitHub, to deliver a payload (for example, a reverse shell) to the vulnerable host. The exploit typically involves setting up a malicious web server, crafting a payload, and using the PoC to trigger code execution. Attackers can write files to disk and schedule their execution via cron, achieving persistence and furthering their objectives.

Indicators of compromise include unusual inbound connections to TCP port 7900, outbound connections from FortiSIEM hosts to attacker-controlled IP addresses, unexpected files or scripts in /tmp, /var/tmp, or cron directories, modifications to system cron jobs, and execution of unexpected binaries or scripts as root. Network utilities such as nc, curl, or wget running from FortiSIEM hosts may also indicate compromise.

The vulnerability maps to several MITRE ATT&CK techniques: T1190 (Exploit Public-Facing Application) for initial access, T1059 (Command and Scripting Interpreter) for execution, T1053.003 (Cron) for persistence, T1068 (Exploitation for Privilege Escalation), and T1070 (Indicator Removal on Host) for defense evasion.

Exploitation in the Wild

Multiple security vendors and open-source intelligence sources confirm that CVE-2025-64155 is being actively exploited. Reports from The Hacker News, Horizon3.ai, and discussions on Reddit /r/netsec indicate that attackers are scanning for exposed FortiSIEM instances and leveraging the public PoC for initial access. Once access is gained, attackers escalate privileges, establish persistence, and move laterally within the network. The availability of a working PoC has accelerated exploitation, and organizations with unpatched systems are at significant risk.

Observed tactics, techniques, and procedures (TTPs) include scanning for TCP port 7900, delivering payloads via crafted requests, writing files to disk, modifying cron jobs for persistence, and using standard network utilities to establish outbound connections. There are also reports of attackers attempting to cover their tracks by removing indicators of compromise and modifying system logs.

APT Groups using this vulnerability

As of this report, there is no public attribution of CVE-2025-64155 exploitation to specific advanced persistent threat (APT) groups. However, the tactics and techniques observed align with those commonly used by ransomware operators and initial access brokers. The rapid weaponization of the vulnerability and the focus on high-value targets such as managed service providers, large enterprises, and public sector organizations suggest that both financially motivated cybercriminals and potentially state-sponsored actors could leverage this flaw. Community reports from Horizon3.ai and The Hacker News highlight the potential for rapid adoption by sophisticated threat actors, even though no direct APT attribution has been made.

Affected Product Versions

The following versions of Fortinet FortiSIEM are affected by CVE-2025-64155: 6.7.0 through 6.7.10, 7.0.0 through 7.0.4, 7.1.0 through 7.1.8, 7.2.0 through 7.2.6, 7.3.0 through 7.3.4, and 7.4.0. FortiSIEM Cloud, version 7.5, and any versions patched above those listed are not affected. Organizations running any of the affected versions should prioritize immediate remediation.

Workaround and Mitigation

The primary mitigation is to upgrade to the latest version of Fortinet FortiSIEM as detailed in the official Fortinet advisory. Patching is the only fully effective remediation, as the vulnerability allows unauthenticated remote code execution with root privileges.

As a temporary workaround, organizations should restrict access to TCP port 7900 (the phMonitor service) to trusted management networks only. This can be achieved by implementing firewall rules or network segmentation to limit exposure. Additionally, organizations should monitor for indicators of compromise, including unusual network activity on port 7900, unexpected outbound connections, and modifications to cron jobs or system files.

Security teams should review logs for suspicious activity on FortiSIEM hosts, investigate any anomalies, and consider conducting a forensic analysis if compromise is suspected. It is also recommended to monitor for the presence of known exploit tools and payloads associated with this vulnerability.

References

Fortinet PSIRT Advisory FG-IR-25-772: https://fortiguard.fortinet.com/psirt/FG-IR-25-772 NVD CVE-2025-64155: https://nvd.nist.gov/vuln/detail/CVE-2025-64155 Horizon3.ai PoC and Analysis: https://github.com/horizon3ai/CVE-2025-64155 Horizon3.ai Technical Blog: https://horizon3.ai/attack-research/vulnerabilities/cve-2025-64155-fortinet-fortisiem/ The Hacker News Coverage: https://thehackernews.com/2026/01/fortinet-fixes-critical-fortisiem-flaw.html Reddit /r/netsec Discussion: https://www.reddit.com/r/netsec/comments/1qbz5ul/cve202564155_3_years_of_remotely_rooting_the/ eSentire Advisory: https://www.esentire.com/security-advisories/critical-fortinet-fortisiem-vulnerability-cve-2025-64155-disclosed Secure-ISS SOC Advisory: https://secure-iss.com/soc-advisory-fortinet-fortisiem-fortios-critical-vulnerabilities-14-jan-2026/

Rescana is here for you

Rescana is committed to helping organizations manage third-party risk and strengthen their cybersecurity posture. Our TPRM platform provides continuous monitoring, automated risk assessments, and actionable intelligence to help you stay ahead of emerging threats. If you have any questions about this advisory or need assistance with your cybersecurity strategy, we are happy to help at ops@rescana.com.