Fortinet FortiSIEM Command Injection Vulnerability

Severity Level: Critical

Date: 18/08/2025

Ref: CERT/NCSOC/0236

Components Affected

• FortiSIEM 5.4 – All versions
• FortiSIEM 6.1 – 6.6 – All versions
• FortiSIEM 6.7 – 6.7.0 through 6.7.9
• FortiSIEM 7.0 – 7.0.0 through 7.0.3
• FortiSIEM 7.1 – 7.1.0 through 7.1.7
• FortiSIEM 7.2 – 7.2.0 through 7.2.x
• FortiSIEM 7.3 – 7.3.0 through 7.3.1

Overview

A critical pre-authentication command injection vulnerability (CVE-2025-25256) was identified in Fortinet FortiSIEM products. This flaw allows unauthenticated attackers to remotely execute arbitrary commands by sending crafted CLI requests, without any user interaction. The issue exists in the phMonitor service on TCP port 7900.

Impact

• Remote Code Execution (RCE): Attackers can execute arbitrary commands without authentication.
• Full System Compromise: Successful exploitation could give attackers full control over the system.
• Stealthy Exploitation: Attacks may lack clear indicators, complicating detection and response.

Solution / Workarounds

Patch Immediately: Upgrade to the following fixed versions:

• FortiSIEM 6.7 → 6.7.10 or above
• FortiSIEM 7.0 → 7.0.4 or above
• FortiSIEM 7.1 → 7.1.8 or above
• FortiSIEM 7.2 → 7.2.6 or above
• FortiSIEM 7.3 → 7.3.2 or above
• FortiSIEM 5.4, 6.1–6.6 → Migrate to supported releases

Temporary Mitigations (if patching not possible):

• Restrict access to TCP port 7900 to trusted internal hosts.
• Monitor for unusual system activity (though clear IoCs are currently lacking).

References

• WatchTowr Labs
• EU CERT
• Canadian Centre for Cyber Security
• Fortinet PSIRT

Disclaimer

The information provided herein is on an "as is" basis, without warranty of any kind.