CVE-2025-64155

Name of the Vulnerable Software and Affected Versions Fortinet FortiSIEM versions 6.7.0 through 7.4.0

Description An improper neutralization of special elements used in an OS command ('OS command injection') vulnerability exists in Fortinet FortiSIEM. This allows an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests. The vulnerability affects the phMonitor service, specifically on port 7900. Public exploit code is available, and active exploitation has been observed. Attackers can achieve root-level access and potentially compromise the entire security monitoring infrastructure. Several threat actors are actively targeting this vulnerability, and it is being exploited in the wild. The vulnerability allows for arbitrary file writing and privilege escalation.

Recommendations Upgrade to FortiSIEM version 7.4.1 or later. Upgrade to FortiSIEM version 7.3.5 or later. Upgrade to FortiSIEM version 7.2.7 or later. Upgrade to FortiSIEM version 7.1.9 or later. Restrict access to port 7900 as a temporary mitigation. Monitor for suspicious web requests and new admin users/processes.