Fortinet Issues Warning About FortiSIEM Pre-Authentication Remote Code Execution Vulnerability with Active Exploit in the Wild

Fortinet has issued a critical warning regarding a remote unauthenticated command injection vulnerability in FortiSIEM, tracked as CVE-2025-25256, which has been found to have exploit code in the wild. This flaw, rated with a CVSS score of 9.8, affects multiple versions of FortiSIEM, ranging from 5.4 to 7.3. FortiSIEM serves as a central security monitoring and analytics system, essential for logging, network telemetry, and security incident alerts, and is widely used by governments, large enterprises, financial institutions, healthcare providers, and Managed Security Service Providers (MSSPs). The vulnerability allows unauthenticated attackers to execute unauthorized commands through crafted CLI requests, posing a significant risk to organisations that rely on this system for their security operations.

In light of the availability of functional exploit code, Fortinet strongly advises administrators to promptly apply the latest security updates by upgrading to supported FortiSIEM versions, including 7.3.2, 7.2.6, 7.1.8, 7.0.4, and 6.7.10. Versions 5.4 to 6.6 are also vulnerable but will not receive patches as they are no longer supported. Fortinet has recommended a temporary workaround of limiting access to the phMonitor on port 7900, which is the entry point for potential exploitation. However, this workaround does not resolve the underlying vulnerability. The urgency of this situation is underscored by a recent report from GreyNoise, which highlighted a surge in brute-force attacks targeting Fortinet SSL VPNs, suggesting a correlation between increased malicious activity and the disclosure of new vulnerabilities. 

Categories: Security Vulnerability, Exploit Mitigation, SIEM Usage 

Tags: Fortinet, FortiSIEM, Vulnerability, CVE-2025-25256, Command Injection, Security Updates, Exploit Code, SIEM, IT Operations, Workaround