Fortinet Issues Warning on FortiSIEM Vulnerability (CVE-2025-25256) with Active Exploit Code in the Wild

Fortinet has alerted customers to a critical security flaw in FortiSIEM, identified as CVE-2025-25256, which has a CVSS score of 9.8 out of 10. This vulnerability involves an improper neutralisation of special elements used in an OS command, known as ‘OS Command Injection’ (CWE-78). It may allow unauthenticated attackers to execute unauthorised code or commands through crafted CLI requests. The affected versions include FortiSIEM 6.1 to 6.6, as well as various releases from 6.7.0 to 7.3.1. Fortinet has recommended that users upgrade to fixed releases or the latest versions to mitigate the risk. Notably, the company acknowledged that practical exploit code for this vulnerability has been found in the wild, although it did not provide specific details about the exploit or its indicators of compromise.

In addition to the vulnerability disclosure, Fortinet has advised organisations to limit access to the phMonitor port (7900) as a workaround. This alert follows a warning from GreyNoise regarding a significant increase in brute-force traffic targeting Fortinet SSL VPN devices, with numerous IP addresses from the United States, Canada, Russia, and the Netherlands probing devices globally. The situation underscores the urgency for organisations to address the security flaw promptly to safeguard their systems against potential exploitation. 

Categories: Security Vulnerability, Software Update, Network Security 

Tags: Fortinet, FortiSIEM, CVE-2025-25256, CVSS, OS Command Injection, Vulnerability, Exploit, CLI Requests, Security Flaw, Access Limitations