Imagine someone walking right into your network, bypassing all security, and taking complete control. Sounds like a nightmare, right? That's precisely the risk Fortinet users faced until recently. A critical vulnerability in FortiSIEM allowed attackers to execute code remotely without needing any authentication whatsoever. Fortinet has now released fixes, but understanding the severity of this flaw is crucial.
Published on January 14, 2026, this urgent patch addresses a glaring security hole in FortiSIEM, a system designed to enhance security. The vulnerability, identified as CVE-2025-64155, received a near-perfect severity score of 9.4 out of 10 on the CVSS scale, indicating its critical nature. Think of it like this: a CVSS score of 10 is a doomsday scenario, and 9.4 is knocking on that door.
According to Fortinet's advisory, this is an "OS command injection" vulnerability (CWE-78). In layman's terms, it means an attacker could inject malicious operating system commands through specially crafted TCP requests. But here's where it gets controversial... some security experts argue that Fortinet initially downplayed the potential impact, focusing solely on the technical details rather than the real-world consequences for businesses. What do you think?
This vulnerability specifically targeted the Super and Worker nodes within FortiSIEM deployments. The affected versions and their corresponding fixes are:
- FortiSIEM 6.7.0 through 6.7.10: Migrate to a fixed release.
- FortiSIEM 7.0.0 through 7.0.4: Migrate to a fixed release.
- FortiSIEM 7.1.0 through 7.1.8: Upgrade to 7.1.9 or above.
- FortiSIEM 7.2.0 through 7.2.6: Upgrade to 7.2.7 or above.
- FortiSIEM 7.3.0 through 7.3.4: Upgrade to 7.3.5 or above.
- FortiSIEM 7.4.0: Upgrade to 7.4.1 or above.
- FortiSIEM 7.5: Not affected.
- FortiSIEM Cloud: Not affected.
The discovery and reporting of this flaw are credited to Zach Hanley, a security researcher at Horizon3.ai, who found it back on August 14, 2025. Hanley described the exploit as a two-stage attack. The first part involves an unauthenticated argument injection vulnerability, which allows the attacker to write arbitrary files and execute code as the admin user. The second part? And this is the part most people miss... it's a file overwrite privilege escalation vulnerability that escalates the attacker's access to root, completely compromising the entire appliance. Root access is the 'keys to the kingdom' in the Linux world, giving the attacker complete control.
The vulnerability lies within FortiSIEM's phMonitor service. This service, which operates on TCP port 7900, is crucial for monitoring system health, distributing tasks, and facilitating communication between nodes. The problem arises when phMonitor handles incoming requests related to logging security events to Elasticsearch. The way it's designed, it invokes a shell script with parameters that the attacker can control. This is the key to the whole attack.
By injecting malicious arguments, an attacker can write a reverse shell (a way to remotely control the system) to /opt/charting/redishb.sh. This file is particularly dangerous because it's writable by an admin user and, critically, is executed every minute by a cron job running with root privileges. Essentially, the attacker leverages the existing system to automatically execute their malicious code with the highest level of permissions. The fact that the phMonitor service doesn't require authentication for certain command handlers makes this attack incredibly easy to carry out, provided the attacker has network access to port 7900.
Fortinet didn't stop there. They also patched another critical vulnerability (CVE-2025-47855, CVSS score: 9.3) in FortiFone, their enterprise communications platform. This flaw allowed unauthenticated attackers to pilfer device configurations through a specially crafted HTTP(S) request to the Web Portal page. Affected versions of FortiFone include:
- FortiFone 3.0.13 through 3.0.23: Upgrade to 3.0.24 or above.
- FortiFone 7.0.0 through 7.0.1: Upgrade to 7.0.2 or above.
- FortiFone 7.2: Not affected.
To safeguard your systems, updating to the latest versions is absolutely essential. As a temporary workaround for CVE-2025-64155, Fortinet recommends limiting access to the phMonitor port (7900) to only trusted sources. This is a Band-Aid solution, though; updating is the only real fix.
So, what are your thoughts on this situation? Do you think Fortinet responded adequately and quickly enough? Or could they have done more to protect their users? Share your opinions in the comments below!
