Critical FortiSIEM Vulnerability Allows Attackers to Execute Malicious Commands – Proof of Concept Discovered in the Wild

A critical security vulnerability has been identified in the Fortinet FortiSIEM platform, allowing unauthenticated attackers to execute arbitrary commands remotely. This vulnerability, designated as CVE-2025-25256 and classified under CWE-78 (OS Command Injection), has been actively exploited in the wild, with practical exploit code already circulating among threat actors. The flaw arises from improper neutralisation of special elements used in operating system commands within FortiSIEM’s architecture. Attackers can bypass authentication mechanisms entirely by leveraging crafted Command Line Interface (CLI) requests targeting the phMonitor port 7900, which serves as the primary attack vector. Security researchers have confirmed that the exploit code is in active use, posing a severe risk to organisations running vulnerable FortiSIEM versions, particularly those from 6.1 to 6.6, which require complete migration to fixed releases.

Organisations are urged to upgrade to patched versions or migrate to secure releases to mitigate the risk. Specific upgrade paths are available for various FortiSIEM versions, including 7.3 users upgrading to 7.3.2 or above, and 7.2 users updating to 7.2.6 or higher. FortiSIEM 7.1 requires an upgrade to 7.1.8 or above, while version 7.0 needs updating to 7.0.4 or newer. FortiSIEM 6.7 users can upgrade to version 6.7.10 or above to address the vulnerability. Notably, FortiSIEM 7.4 remains unaffected by this security flaw. As an immediate workaround, Fortinet recommends limiting access to the phMonitor port 7900 to reduce exposure until proper patches can be implemented. The advisory was initially published on August 12, 2025, highlighting the urgency for organisations to assess their FortiSIEM deployments and implement appropriate remediation measures without delay. 

Categories: Security Vulnerability, Exploitation Risk, Mitigation Strategies 

Tags: Fortinet, FortiSIEM, Vulnerability, CVE-2025-25256, Command Injection, Remote Access, Exploit, phMonitor, Patch, Security Risk