Ethical Hacking News
Hackers are now exploiting a critical flaw in Fortinet's FortiSIEM system, leaving it vulnerable to arbitrary code execution and privilege escalation. The vulnerability, identified as CVE-2025-64155, has been publicly available for months, with threat intelligence firm Defused reporting active exploitation in the wild.
Fortinet has issued a security update for CVE-2025-64155, a critical vulnerability in FortiSIEM. The flaw allows for arbitrary writes with admin permissions and privilege escalation to root access. The issue is due to an improper neutralization of special elements used in an operating system command. Fortinet has released security updates, including a temporary workaround, to patch the vulnerability. Customers should prioritize patching and consider migrating to a fixed release.
Fortinet has issued a security update to address a critical vulnerability in its FortiSIEM system, which is being actively exploited by hackers. The flaw, identified as CVE-2025-64155, allows for arbitrary writes with admin permissions and privilege escalation to root access.
The vulnerability stems from an improper neutralization of special elements used in an operating system command (OS Command Injection) vulnerability. This enables attackers to execute unauthorized code or commands via crafted TCP requests. The issue is exposed due to the exposure of dozens of command handlers on the phMonitor service, which can be invoked remotely without authentication.
According to security researcher Zach Hanley at penetration testing company Horizon3.ai, who reported the vulnerability, it affects FortiSIEM versions 6.7 to 7.5 and can be patched by upgrading to FortiSIEM 7.4.1 or later, 7.3.5 or later, 7.2.7 or later, or 7.1.9 or later. Customers using FortiSIEM 7.0.0 through 7.0.4 and FortiSIEM 6.7.0 through 6.7.10 are advised to migrate to a fixed release.
Fortinet has released security updates to patch the flaw, as well as a temporary workaround for admins who cannot immediately apply security updates. This workaround requires them to limit access to the phMonitor port (7900).
Threat intelligence firm Defused has reported that threat actors are actively exploiting the CVE-2025-64155 flaw in the wild. Horizon3.ai also provides indicators of compromise to help defenders identify already compromised systems.
In November, Fortinet warned that attackers were exploiting a FortiWeb zero-day (CVE-2025-58034), and one week later, it confirmed that it had silently patched a second FortiWeb zero-day (CVE-2025-64446) that was also targeted in widespread attacks.
The Chinese Volt Typhoon hacking group exploited two FortiOS vulnerabilities (tracked as CVE-2023-27997 and CVE-2022-42475) to deploy Coathanger remote access trojan malware on a Dutch Ministry of Defence military network.
In light of these recent security breaches, it is essential for organizations using Fortinet's FortiSIEM system to prioritize patching the vulnerability as soon as possible. This will help prevent potential attacks and ensure the integrity of their systems.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Leverage-Critical-Fortinet-FortiSIEM-Flaw-to-Launch-Attacks-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-now-exploiting-critical-fortinet-fortisiem-vulnerability-in-attacks/
https://thehackernews.com/2026/01/fortinet-fixes-critical-fortisiem-flaw.html
https://nvd.nist.gov/vuln/detail/CVE-2025-64155
https://www.cvedetails.com/cve/CVE-2025-64155/
https://nvd.nist.gov/vuln/detail/CVE-2025-58034
https://www.cvedetails.com/cve/CVE-2025-58034/
https://nvd.nist.gov/vuln/detail/CVE-2025-64446
https://www.cvedetails.com/cve/CVE-2025-64446/
https://nvd.nist.gov/vuln/detail/CVE-2023-27997
https://www.cvedetails.com/cve/CVE-2023-27997/
https://nvd.nist.gov/vuln/detail/CVE-2022-42475
https://www.cvedetails.com/cve/CVE-2022-42475/
Published: Fri Jan 16 06:27:47 2026 by llama3.2 3B Q4_K_M
