CVE-2025-64155

Name of the Vulnerable Software and Affected Versions FortiSIEM version 7.4.0 FortiSIEM versions 7.3.0 through 7.3.4 FortiSIEM versions 7.1.0 through 7.1.8 FortiSIEM versions 7.0.0 through 7.0.4 FortiSIEM versions 6.7.0 through 6.7.10

Description An OS command injection issue exists in the phMonitor service of FortiSIEM, which is used for health monitoring and task distribution on Super and Worker nodes. The flaw stems from improper neutralization of special elements in TCP request processing, specifically an argument injection where the service uses the curl utility to fetch data. An unauthenticated remote attacker can send crafted TCP requests to inject malicious arguments, allowing them to write files (such as a reverse shell) to the disk. Since the service runs with root privileges, this can lead to unauthorized remote code execution, full system compromise, and the ability to disable security monitoring or delete logs.

Recommendations Update FortiSIEM version 7.4.0 to 7.4.1 or later. Update FortiSIEM versions 7.3.0 through 7.3.4 to 7.3.5 or later. Update FortiSIEM versions 7.1.0 through 7.1.8 to 7.1.9 or later. Restrict access to TCP port 7900 from the internet. Restrict access to ports 443, 19999, and 20000 to authorized IP addresses only. Deploy the system behind a VPN.