Fortinet has issued critical security updates to address a severe operating system injection vulnerability in FortiSIEM that allows unauthenticated attackers to execute remote code. This flaw, identified as CVE-2025-64155, impacts specific versions of the platform and can lead to a total system takeover if not patched immediately.
Fortinet recently disclosed a high-severity security flaw in its FortiSIEM solution that carries a CVSS score of 9.4 out of 10.0. This vulnerability is classified as an improper neutralization of special elements within an operating system command, which essentially allows an attacker to bypass authentication. By sending specifically crafted TCP requests to a vulnerable instance, a remote actor can execute unauthorized commands or code on the system without needing any login credentials.
The technical root of the issue lies within the phMonitor service, a backend process that handles health monitoring and task distribution across the network via port 7900. Security researchers discovered that this service fails to properly sanitize incoming requests related to Elasticsearch logging. Because the service invokes shell scripts using parameters controlled by the user, an attacker can use argument injection through the curl command to write arbitrary files directly to the appliance's disk.
An attacker can escalate their control by targeting a specific shell script located in a directory writable by the admin user. By overwriting this file with a reverse shell script, the attacker leverages a pre-existing cron job that runs every minute with root-level permissions. This transition from admin-level file writing to root-level execution allows for a complete compromise of the FortiSIEM appliance, giving the attacker unfettered access to the entire system and its data.
Fortinet has confirmed that this vulnerability specifically affects Super and Worker nodes in versions ranging from 6.7 through 7.4. To mitigate the risk, the company urges users to migrate to fixed releases or upgrade to newer versions like 7.1.9, 7.2.7, 7.3.5, or 7.4.1. While newer versions like 7.5 and the FortiSIEM Cloud service remain unaffected, those unable to apply the updates immediately are advised to restrict network access to TCP port 7900 as a temporary workaround.
In addition to the FortiSIEM fix, the company addressed a separate critical vulnerability in its FortiFone enterprise communication platform. Tracked as CVE-2025-47855, this flaw could allow unauthenticated users to steal device configurations through crafted web requests. Given the severity of both issues, security administrators are encouraged to review their environments and apply the necessary patches to maintain the integrity of their network monitoring and communication infrastructure.
Source: Fortinet Patches Critical FortiSIEM Bug Enabling Unauthenticated RCE