Critical FortiSIEM flaw under active exploitation, Fortinet warns
Fortinet warns of a critical FortiSIEM vulnerability, tracked as CVE-2025-25256, that is actively exploited in attacks in the wild.
Fortinet warns customers of a critical vulnerability, tracked asCVE-2025-25256 (CVSS score of 9.8), affecting FortiSIEM for which an exploit exists in the wild.
Fortinet gave no details about the exploit, noting it leaves no clear Indicators of Compromise (IoCs).
The flaw is an OS command injection flaw that could allow unauthenticated attackers to run arbitrary code or commands via crafted CLI requests.
“An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests.” reads the advisory. “Practical exploit code for this vulnerability was found in the wild.”
The vulnerability impacts the following versions:
- FortiSIEM 6.1, 6.2, 6.3, 6.4, 6.5, 6.6 (Migrate to a fixed release)
- FortiSIEM 6.7.0 through 6.7.9 (Upgrade to 6.7.10 or above)
- FortiSIEM 7.0.0 through 7.0.3 (Upgrade to 7.0.4 or above)
- FortiSIEM 7.1.0 through 7.1.7 (Upgrade to 7.1.8 or above)
- FortiSIEM 7.2.0 through 7.2.5 (Upgrade to 7.2.6 or above)
- FortiSIEM 7.3.0 through 7.3.1 (Upgrade to 7.3.2 or above)
FortiSIEM 7.4 is not affected by the flaw.
As workarounds, the vendor recommends that customers limit access to the phMonitor port (7900).
Follow me on Twitter:@securityaffairsandFacebookandMastodon
(SecurityAffairs–hacking,FortiSIEM)