Fortinet Patches Critical FortiSIEM Flaw Enabling Unauthenticated Remote Code Execution
Fortinet has issued critical updates to address a serious vulnerability in its FortiSIEM product. This flaw enables unauthenticated remote code execution on affected instances. The operating system injection vulnerability is identified as CVE-2025-64155 and has received a risk rating of 9.4 on the CVSS scale.
CVE-2025-64155: Details of the Vulnerability
The vulnerability arises from improper handling of special elements in an OS command, known as OS command injection. Consequently, an attacker can execute unauthorized commands by sending specifically crafted TCP requests. Fortinet’s advisory specifically mentions that this issue impacts Super and Worker nodes within FortiSIEM.
Affected Versions and Recommendations
Fortinet has provided guidance on upgrade paths for the affected versions:
- FortiSIEM 6.7.0 through 6.7.10: Migrate to a fixed release
- FortiSIEM 7.0.0 through 7.0.4: Migrate to a fixed release
- FortiSIEM 7.1.0 through 7.1.8: Upgrade to 7.1.9 or above
- FortiSIEM 7.2.0 through 7.2.6: Upgrade to 7.2.7 or above
- FortiSIEM 7.3.0 through 7.3.4: Upgrade to 7.3.5 or above
- FortiSIEM 7.4.0: Upgrade to 7.4.1 or above
- FortiSIEM 7.5: Not affected
- FortiSIEM Cloud: Not affected
To mitigate the risks associated with CVE-2025-64155, Fortinet advises users to restrict access to the phMonitor service port (7900).
Discovery of the Vulnerability
The vulnerability was discovered by Zach Hanley, a security researcher at Horizon3.ai, on August 14, 2025. Hanley noted that the issue involves two main components:
- Unauthenticated argument injection leading to arbitrary file writes, allowing remote code execution as the admin user.
- File overwrite escalation that provides root access, compromising the entire system.
The flaw revolves around the phMonitor service, vital for monitoring tasks and inter-node communications via TCP. It improperly manages logging requests, enabling potential exploitation through crafted inputs.
Additional Vulnerabilities Addressed
In addition to CVE-2025-64155, Fortinet has also released patches for another critical flaw in its FortiFone product (CVE-2025-47855) rated at 9.3 on the CVSS scale. This vulnerability could allow an unauthenticated attacker to access device configurations through specially crafted HTTP(S) requests. Affected versions include:
- FortiFone 3.0.13 through 3.0.23: Upgrade to 3.0.24 or higher
- FortiFone 7.0.0 through 7.0.1: Upgrade to 7.0.2 or higher
- FortiFone 7.2: Not affected
Users are strongly encouraged to update to the latest versions of both FortiSIEM and FortiFone to ensure optimal security and functionality.
The post Fortinet Patches Critical FortiSIEM Flaw Enabling Unauthenticated Remote Code Execution appeared first on CDN3 - Filmogaz.
