CVE-2025-64155
Fortinet FortiSIEM Arbitrary File Write Remote Code Execution Vulnerability
Horizon3.ai identified a zero-day remote code execution vulnerability affecting Fortinet FortiSIEM and responsibly disclosed it to Fortinet in August 2025. The vulnerability allows unauthenticated attackers with network access to a core FortiSIEM service to gain full administrative control of the appliance and escalate privileges to root.
Fortinet has published a security advisory (FG-IR-25-772) and assigned this issue CVE-2025-64155. Fortinet has also released patches that address this vulnerability for affected FortiSIEM releases.
All versions of FortiSIEM 7.4 and below are affected. FortiSIEM Cloud is not affected. While many deployments are not directly internet-facing, any instance where the vulnerable service is reachable should be considered at immediate risk due to the severity of impact.
Stop Guessing, Start Proving
What it is and why it matters
Fortinet FortiSIEM is a security operations platform that combines SIEM functionality, event correlation, analytics, and operational monitoring. It ingests logs and telemetry from network devices, firewalls, endpoints, servers, identity systems, cloud services, databases, and applications, and serves as a central system of record for security monitoring and response.
FortiSIEM is widely deployed in large enterprises and managed service environments across industries such as finance, healthcare, retail, and telecommunications. A single FortiSIEM instance often has deep visibility into hundreds or thousands of systems and stores sensitive telemetry, alerts, credentials, and integration secrets.
Compromise of FortiSIEM gives attackers control over the security operations layer itself. This includes the ability to read and alter logs, disable detections, harvest credentials, and pivot further into the environment. In MSP or MSSP deployments, compromise may extend beyond a single organization and impact downstream customer environments.
Technical details
CVE-2025-64155 is a remote code execution vulnerability caused by improper neutralization of user-supplied input to an unauthenticated API endpoint exposed by the FortiSIEM phMonitor service.
The phMonitor service is used internally by FortiSIEM components to exchange data and commands and is present across all common deployment architectures. This service exposes a large set of command handlers that can be invoked remotely without authentication.
The vulnerability arises in the handling of storage configuration requests when the storage type is set to elastic. User-controlled data from an XML payload is passed through multiple layers of processing and ultimately used to construct a command invoking a system script that performs connectivity testing. The implementation allows argument injection into a curl invocation via crafted parameters, enabling an attacker to influence execution flow.
This allows an unauthenticated attacker to write arbitrary files to arbitrary locations on the FortiSIEM appliance in the context of the FortiSIEM admin user. By overwriting binaries or scripts that are executed on a recurring basis, the attacker can achieve reliable remote code execution.
Privilege escalation
After achieving code execution as the admin user, attackers can escalate privileges to root.
FortiSIEM includes scheduled tasks executed by root that invoke scripts and binaries writable by the admin user. By modifying one of these admin-writable files that is executed by a root-owned cron job, an attacker can escalate from admin to root and fully compromise the appliance.
This results in complete control of the FortiSIEM system, including the operating system, application stack, and all security monitoring capabilities.
Conditions for exploitation
Instances are exploitable when the following condition is met:
- Network access to the FortiSIEM phMonitor service, which listens by default on TCP port 7900
No authentication is required to exploit this vulnerability once the service is reachable.
NodeZero® Offensive Security Platform — Rapid Response
The Fortinet FortiSIEM Rapid Response test identifies exposed FortiSIEM instances with reachable phMonitor services and validates whether conditions exist that allow arbitrary file write, remote code execution, and full appliance compromise. This allows teams to quickly assess exposure, prioritize mitigation, and verify that corrective actions effectively reduce risk.
Recommended actions:
- Run the Rapid Response test to identify exposed FortiSIEM instances
- Apply mitigations immediately, as Fortinet has released fixed builds
- Re-run the Rapid Response test to confirm exposure has been eliminated
Affected versions and patch
Affected versions: FortiSIEM (7.4 and below) releases with phMonitor services reachable over the network prior to the fixed builds are affected.
Patch status: Fortinet published updates that address this vulnerability under advisory FG-IR-25-772. Customers should upgrade to the fixed FortiSIEM builds as soon as possible. Versions 7.3.2 and later, 7.2.6 and later, 7.1.8 and later, 7.0.4 and later, and 6.7.10 and later contain the fix. These fixed builds remove the argument injection condition in phMonitor.
Mitigations
Until all systems can be updated, organizations should immediately reduce exposure:
- Implement network or host-based firewall rules to restrict access to the FortiSIEM server
- Specifically block or tightly limit access to the phMonitor service on TCP port 7900
- Ensure FortiSIEM services are only reachable from trusted administrative networks
Timeline
14 August 2025
Vulnerabilities discovered and reported to Fortinet PSIRT.
16 September 2025
Fortinet reproduced the findings.
November 2025 – January 2026
Ongoing coordination regarding patch timelines across multiple FortiSIEM branches.
13 January 2026
Fortinet publishes advisory FG-IR-25-772, fixes are released, and coordinated disclosure occurs.
