top of page
Search

Fortinet Fixes Critical FortiSIEM Vulnerabilities

  • Jan 14
  • 2 min read

Key Findings


  • Fortinet has released updates to fix a critical security flaw impacting FortiSIEM that could allow an unauthenticated attacker to achieve code execution on susceptible instances.

  • The vulnerability, tracked as CVE-2025-64155, is rated 9.4 out of 10.0 on the CVSS scoring system.

  • The flaw allows for OS command injection via crafted TCP requests to the phMonitor service running on port 7900.

  • Fortinet has also patched a critical vulnerability in FortiFone (CVE-2025-47855, CVSS 9.3) that could allow unauthenticated attackers to obtain device configuration.


Background


The FortiSIEM vulnerability resides in how the phMonitor service, a crucial backend process responsible for health monitoring, task distribution, and inter-node communication, handles incoming requests related to logging security events to Elasticsearch. This invokes a shell script with user-controlled parameters, opening the door to argument injection via curl and achieving arbitrary file writes to the disk in the context of the admin user.


This limited file write can then be weaponized to achieve full system takeover by writing a reverse shell to "/opt/charting/redishb.sh", a file that's writable by an admin user and is executed every minute by the appliance via a root-level cron job.


The most important aspect is that the phMonitor service exposes several command handlers that do not require authentication, making it easy for an attacker to invoke these functions simply by obtaining network access to port 7900.


Affected Versions


The vulnerability affects the following versions of FortiSIEM:


  • FortiSIEM 6.7.0 through 6.7.10 (Migrate to a fixed release)

  • FortiSIEM 7.0.0 through 7.0.4 (Migrate to a fixed release)

  • FortiSIEM 7.1.0 through 7.1.8 (Upgrade to 7.1.9 or above)

  • FortiSIEM 7.2.0 through 7.2.6 (Upgrade to 7.2.7 or above)

  • FortiSIEM 7.3.0 through 7.3.4 (Upgrade to 7.3.5 or above)

  • FortiSIEM 7.4.0 (Upgrade to 7.4.1 or above)

  • FortiSIEM 7.5 and FortiSIEM Cloud are not affected.


Mitigation


As a workaround, Fortinet recommends limiting access to the phMonitor port (7900) to mitigate the risk of exploitation.


Researcher Credit


The vulnerability was discovered and reported by Zach Hanley of Horizon3.ai.


Sources


  • https://thehackernews.com/2026/01/fortinet-fixes-critical-fortisiem-flaw.html

  • https://securityaffairs.com/186902/security/fortinet-fixed-two-critical-flaws-in-fortifone-and-fortisiem.html

  • https://securityonline.info/exploit-code-published-critical-fortisiem-flaw-grants-unauthenticated-root-access/

  • https://www.linkedin.com/posts/dlross_fortinet-fixes-critical-fortisiem-flaw-allowing-activity-7417328420231172097-DgYa

  • https://x.com/TheCyberSecHub/status/2011411524800405907

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page