Today's cybersecurity headlines are brought to you by ThreatPerspective

Fortinet Addresses Critical FortiSIEM Vulnerability Allowing Unauthenticated Remote Code Execution

Fortinet has released patches for two critical security vulnerabilities in its FortiSIEM and FortiFone systems, addressing issues allowing unauthenticated remote code execution and device configuration access. Users are urged to update their systems to the latest versions for optimal protection.

Recently, cybersecurity news platform The Hacker News (THN) broke the story of a critical security flaw discovered by Horizon3.ai security researcher Zach Hanley in the FortiSIEM system. This vulnerability, tracked as CVE-2025-64155 and rated 9.4 out of 10.0 on the CVSS scoring system, allows an unauthenticated attacker to execute remote code on susceptible instances of FortiSIEM. This significant finding raises concerns about the potential for hackers to take control of sensitive systems without proper authentication.

The vulnerability is attributed to a combination of two separate issues: an unauthenticated argument injection vulnerability that leads to arbitrary file write, allowing for remote code execution as the admin user; and a file overwrite privilege escalation vulnerability that leads to root access and completely compromises the appliance. The problem arises from how FortiSIEM's phMonitor service handles incoming requests related to logging security events to Elasticsearch.

The phMonitor service invokes a shell script with user-controlled parameters, which in turn allows for argument injection via curl. This enables arbitrary file writes to the disk in the context of the admin user, ultimately leading to privilege escalation from admin to root and granting the attacker unfettered access to the FortiSIEM appliance.

The most critical aspect of this vulnerability is that the phMonitor service exposes several command handlers that do not require authentication. This makes it easy for an attacker to invoke these functions simply by obtaining network access to port 7900, thereby facilitating remote code execution without needing authentication.

Fortinet has taken swift action in response to this critical security flaw, releasing patches and updates to address the vulnerability in various versions of FortiSIEM. The specific versions affected include:

* FortiSIEM 6.7.0 through 6.7.10 (Migrate to a fixed release)
* FortiSIEM 7.0.0 through 7.0.4 (Migrate to a fixed release)
* FortiSIEM 7.1.0 through 7.1.8 (Upgrade to 7.1.9 or above)
* FortiSIEM 7.2.0 through 7.2.6 (Upgrade to 7.2.7 or above)
* FortiSIEM 7.3.0 through 7.3.4 (Upgrade to 7.3.5 or above)
* FortiSIEM 7.4.0 (Upgrade to 7.4.1 or above)
* FortiSIEM 7.5 (Not affected)
* FortiSIEM Cloud (Not affected)

Fortinet has also addressed another critical security vulnerability in FortiFone, which could allow an unauthenticated attacker to obtain device configuration via a specially crafted HTTP(S) request to the Web Portal page. The specific versions of FortiFone impacted include:

* FortiFone 3.0.13 through 3.0.23 (Upgrade to 3.0.24 or above)
* FortiFone 7.0.0 through 7.0.1 (Upgrade to 7.0.2 or above)
* FortiFone 7.2 (Not affected)

Users are strongly advised to update their systems to the latest versions available for optimal protection against these vulnerabilities.

In a recommended workaround, Fortinet recommends limiting access to the phMonitor port (7900) to prevent further exploitation of CVE-2025-64155. This measure will help mitigate the risk associated with this critical security flaw until patches and updates are applied.

Fortinet's swift response to these vulnerabilities underscores the importance of regular patch management and proactive cybersecurity measures to protect against emerging threats in the ever-evolving landscape of digital security.