CVE-2025-64155
OS Command Injection in Fortinet FortiSIEM Enables Remote Code Execution
Publication date: 2026-01-13
Last updated on: 2026-01-13
Assigner: Fortinet, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fortinet | fortisiem | 7.4.0 |
| fortinet | fortisiem | From 7.3.0 (inc) to 7.3.4 (inc) |
| fortinet | fortisiem | From 7.1.0 (inc) to 7.1.8 (inc) |
| fortinet | fortisiem | From 7.0.0 (inc) to 7.0.4 (inc) |
| fortinet | fortisiem | From 6.7.0 (inc) to 6.7.10 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Fortinet FortiSIEM allows an attacker to perform argument injection that leads to remote code execution with root privileges. It exploits improper handling of arguments in the Phoenix Monitor service, enabling the attacker to write arbitrary files and execute malicious payloads as the root user. The attack involves sending crafted TCP requests that inject commands, which are later executed by a cron job on the target system. [1]
How can this vulnerability impact me? :
The vulnerability can allow an attacker to execute unauthorized code with root privileges on the affected system. This can lead to system instability, unauthorized access, and control over the system, including overwriting application files and potentially causing denial of service or further compromise of the network. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve monitoring for unusual TCP requests targeting the FortiSIEM Phoenix Monitor service port, as the exploit uses crafted TCP requests to inject commands. Additionally, running the provided exploit script (CVE-2025-64155.py) in a controlled environment can help understand the attack pattern. Specific commands include running network monitoring tools (e.g., tcpdump or Wireshark) to capture suspicious traffic on the Phoenix Monitor service port, and checking for unexpected files or processes spawned by cron jobs approximately one minute after suspicious activity. However, no explicit detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting network access to the FortiSIEM Phoenix Monitor service port to trusted hosts only, monitoring and blocking suspicious TCP requests, and applying any available patches or updates from Fortinet for FortiSIEM versions 6.7.0 through 7.4.0. Additionally, reviewing and hardening cron jobs and file permissions to prevent unauthorized payload execution is advised. Since the exploit involves argument injection leading to root-level code execution, minimizing exposure and applying vendor fixes are critical. [1]