FortiSIEM Unauthenticated RCE via phMonitor OS Command Injection (CVE-2025-64155)
Fortinet disclosed and patched a critical FortiSIEM OS command injection vulnerability, CVE-2025-64155 (CVSS 9.4), that enables unauthenticated remote code execution via crafted TCP/CLI requests to the phMonitor service (default port 7900). Impact is reported on FortiSIEM Super and Worker nodes (Collector nodes reportedly not affected), with recommended upgrades to 7.4.1, 7.3.5, or 7.2.7; a key mitigation is to restrict network access to port 7900.
Technical analysis described an exploit chain in which attacker-controlled inputs in phMonitor requests can be leveraged for argument injection leading to arbitrary file write and code execution (initially as an admin-level context), followed by a file overwrite privilege escalation to root. Public exploit material is reported to be available, and the issue has drawn threat-actor interest (including references in leaked Black Basta chats), increasing the likelihood of opportunistic exploitation against exposed FortiSIEM deployments.
Timeline
Jan 15, 2026
Defused detects active exploitation of CVE-2025-64155 in honeypots
By 2026-01-15, Defused reported seeing targeted exploitation attempts against CVE-2025-64155 through honeypot deployments. The observed attacks followed public disclosure and PoC release, indicating the FortiSIEM flaw had moved from patch-only status to active abuse.
Jan 13, 2026
Horizon3.ai publishes technical analysis and PoC for CVE-2025-64155
On 2026-01-13, Horizon3.ai released a technical write-up and proof-of-concept exploit for CVE-2025-64155 after privately reporting the issue to Fortinet. The research described how unauthenticated argument injection in the phMonitor service could be used for arbitrary file write, admin-level code execution, and escalation to root, and included indicators of compromise and log-hunting guidance.
Jan 13, 2026
Fortinet releases advisory and patches for CVE-2025-64155 and other flaws
On 2026-01-13, Fortinet published advisory FG-IR-25-772 and released fixes for the critical FortiSIEM command injection flaw CVE-2025-64155, along with other vulnerabilities including the critical FortiFone Web Portal information disclosure bug CVE-2025-47855. Fortinet provided affected version details, upgrade guidance, and a workaround to restrict access to the phMonitor service on TCP port 7900.
Aug 1, 2025
Fortinet observes exploitation of CVE-2025-25256 in the wild
In August 2025, Fortinet issued an advisory for CVE-2025-25256, a FortiSIEM OS command injection flaw reachable via crafted CLI requests. The company said exploitation had been observed in the wild, and later research into this issue led to discovery of a related exploit chain tracked as CVE-2025-64155.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Organizations
Sources
5 more from sources like horizon3 blog, help net security, rescana blog, tenable blog and cyber security news
Related Stories
Public Exploit Released for Critical FortiSIEM Unauthenticated Command Injection (CVE-2025-25256)
Technical details and public exploit code were released for a **critical Fortinet FortiSIEM** vulnerability, **CVE-2025-25256**, that enables a **remote, unauthenticated attacker** to execute unauthorized OS commands/code via crafted TCP requests. Reporting attributes the issue to exposed command handlers on the `phMonitor` service that can be invoked without authentication, chaining an arbitrary write with elevated permissions and privilege escalation to achieve **root** access. Fortinet has issued patches across affected FortiSIEM versions (reported as impacting **6.7 through 7.5**) and stated that all vulnerable versions are now fixed, following earlier partial fixes across product branches. Researchers noted `phMonitor` has been a recurring entry point for prior FortiSIEM flaws (including **CVE-2023-34992** and **CVE-2024-23108**) and warned that ransomware operators (e.g., **Black Basta**) have previously shown interest in FortiSIEM exploitation, increasing the likelihood of opportunistic targeting now that exploit code is public.
1 months ago
Active Exploitation of Critical Infrastructure Management RCE Flaws
Multiple maximum-severity vulnerabilities in enterprise infrastructure management products are being **actively exploited**, enabling unauthenticated remote code execution as `root` and creating high-impact initial access paths into data center and security operations environments. Reported exploitation includes mass, automated scanning and rapid weaponization following public disclosure and PoC availability, increasing the likelihood of opportunistic compromise, follow-on payload delivery, and lateral movement in affected networks. Fortinet *FortiSIEM* is reported as under active attack via **CVE-2024-23108**, an unauthenticated command-injection issue in the `phMonitor` component (noted as listening on TCP `8014`) that can yield full system compromise. Separately, Cisco *Secure Email Gateway* / *Secure Email and Web Manager* is reported as exploited via **CVE-2024-20353** (CVSS 10.0), with activity attributed to China-linked **UAT-9686** leveraging the Spam Quarantine interface to gain root execution and deploy custom malware for persistence and evasion. In parallel, Check Point-linked reporting describes **RondoDox** botnet-driven exploitation of HPE *OneView* **CVE-2025-37164** at scale (tens of thousands of attempts observed), consistent with an “exploit-shotgun” approach used to build botnets for DDoS, cryptomining, and secondary payload delivery; the surge coincided with the flaw’s addition to CISA’s known-exploited list.
1 months ago
Unauthenticated RCE in FortiClient EMS via SQL Injection (CVE-2026-21643)
Fortinet issued a critical advisory for *FortiClient Enterprise Management Server (EMS)* warning that **CVE-2026-21643** enables **unauthenticated remote code execution** via an **SQL injection** flaw (`CWE-89`) in the product’s **GUI/web interface**. By sending specially crafted HTTP requests that exploit insufficient input sanitization, an external attacker could execute arbitrary code or unauthorized commands on the EMS server without valid credentials, potentially turning a central endpoint-management platform into a foothold for broader compromise. The issue is reported as affecting the **7.4** line, with **FortiClientEMS 7.4.4** explicitly called out as vulnerable; Fortinet’s recommended remediation is to **upgrade to 7.4.5 or later**. Fortinet also stated that the **8.0** and **7.2** branches are **not affected**, and an updated note indicated **FortiEMS Cloud/SaaS instances are not impacted**, narrowing immediate exposure primarily to on-prem deployments running the affected version.
1 months ago