Fortinet has disclosed a critical OS command injection in FortiSIEM, tracked as CVE-2025-25256, that allows unauthenticated RCE via crafted CLI requests.
Fortinet confirms working exploit code exists in the wild (PoC observed), and several security vendors have since reported public exploit availability. CVSS v3.1: 9.8 (Critical), CWE-78.
Affected versions
- 6.7.0–6.7.9 → update to 6.7.10+
- 7.0.0–7.0.3 → update to 7.0.4+
- 7.1.0–7.1.7 → update to 7.1.8+
- 7.2.0–7.2.5 → update to 7.2.6+
- 7.3.0–7.3.1 → update to 7.3.2+
- 7.4.x → not affected
- Branches 6.1–6.6 → migrate to a fixed release (no direct patch on those trains).
Exposure & attack surface
The vulnerability resides in the phMonitor service (default TCP/7900) and can be triggered without authentication via specially crafted requests. Internet-exposed FortiSIEM managers, or managers reachable from untrusted networks, are at the highest risk.
A likely attack path would involve:
- Scanning for FortiSIEM hosts with TCP/7900 open.
- Sending a crafted request to exploit the command injection and gain remote code execution.
- Deploying a payload or reverse shell to establish persistence.
- Harvesting stored credentials or integrating systems for lateral movement.
Once compromised, attackers could potentially tamper with SIEM data, disable alerts, or use the access to pivot deeper into the network.
Exploitation Status
Fortinet has confirmed that practical exploit code is already circulating in the wild, and public proof-of-concept (PoC) code has been released, drawing widespread attention from the security community.
While there are no confirmed cases of mass exploitation of this specific FortiSIEM flaw yet, independent reporting has observed a spike in Fortinet-targeted scanning and brute-force activity.
Given the criticality of the vulnerability and the availability of exploit code, rapid weaponization against exposed appliances is highly likely.
Mitigation
- Patch/upgrade now: Upgrade to the minimum fixed versions above (or later). For 6.1–6.6, migrate to a supported, fixed release. Document change windows are not recommended given unauthenticated RCE.
- Reduce exposure on TCP/7900: Until patched, block/limit access to phMonitor (7900/TCP) at network boundaries (ingress from the internet and untrusted segments). Prefer allow-listing (management plane reachable only from a management subnet/VPN).
- Inventory & verify versions: Enumerate all FortiSIEM managers/collectors (including test/DR) and record running version vs. target fixed version; confirm upgrade success in config/state.
- Segmentation & hardening: Ensure FortiSIEM’s management plane is not internet-exposed; enforce MFA for all admin access paths (SSH/GUI/VPN), rotate credentials/tokens on completion, and validate RBAC.
Detection & Hunting Ideas
Because exploitation may leave no clear FortiSIEM-specific traces, focus on network edge visibility and appliance-level behavior:
Network (SIEM/flow/pcap)
Filter for dst_port = 7900 with sources that are public or outside corporate ranges. Build a 30-day rarity model to flag first-seen connections to any FortiSIEM host on 7900.
Appliance telemetry
Watch for /bin/sh, /bin/bash, or other unusual child processes spawned by the phMonitor service, especially right after inbound 7900 connections.
Firewall/edge
Track daily allow/deny event counts for 7900 toward FortiSIEM hosts, looking for spikes since 2025-08-12 (advisory date).
(Fortinet warns there may be no distinctive IoCs; lack of detections should not be taken as proof of safety.)
If you require support in assessing your exposure to CVE-2025-25256 or responding to a potential compromise, please contact our Incident Response team.
Stay Safe. Stay Secure.
OP Innovate Research Team
