CVE-2025-64155
Unknown Unknown - Not Provided
OS Command Injection in Fortinet FortiSIEM Enables Remote Code Execution

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: Fortinet, Inc.

Description
An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4, FortiSIEM 7.1.0 through 7.1.8, FortiSIEM 7.0.0 through 7.0.4, FortiSIEM 6.7.0 through 6.7.10 may allow an attacker to execute unauthorized code or commands via crafted TCP requests.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-14
NVD
CVE-2025-64155
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
fortinet fortisiem 7.4.0
fortinet fortisiem From 7.3.0 (inc) to 7.3.4 (inc)
fortinet fortisiem From 7.1.0 (inc) to 7.1.8 (inc)
fortinet fortisiem From 7.0.0 (inc) to 7.0.4 (inc)
fortinet fortisiem From 6.7.0 (inc) to 6.7.10 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Fortinet FortiSIEM allows an attacker to perform argument injection that leads to remote code execution with root privileges. It exploits improper handling of arguments in the Phoenix Monitor service, enabling the attacker to write arbitrary files and execute malicious payloads as the root user. The attack involves sending crafted TCP requests that inject commands, which are later executed by a cron job on the target system. [1]

Impact Analysis

The vulnerability can allow an attacker to execute unauthorized code with root privileges on the affected system. This can lead to system instability, unauthorized access, and control over the system, including overwriting application files and potentially causing denial of service or further compromise of the network. [1]

Detection Guidance

Detection can involve monitoring for unusual TCP requests targeting the FortiSIEM Phoenix Monitor service port, as the exploit uses crafted TCP requests to inject commands. Additionally, running the provided exploit script (CVE-2025-64155.py) in a controlled environment can help understand the attack pattern. Specific commands include running network monitoring tools (e.g., tcpdump or Wireshark) to capture suspicious traffic on the Phoenix Monitor service port, and checking for unexpected files or processes spawned by cron jobs approximately one minute after suspicious activity. However, no explicit detection commands are provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include restricting network access to the FortiSIEM Phoenix Monitor service port to trusted hosts only, monitoring and blocking suspicious TCP requests, and applying any available patches or updates from Fortinet for FortiSIEM versions 6.7.0 through 7.4.0. Additionally, reviewing and hardening cron jobs and file permissions to prevent unauthorized payload execution is advised. Since the exploit involves argument injection leading to root-level code execution, minimizing exposure and applying vendor fixes are critical. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64155. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart