Severity
High
Analysis Summary
Fortinet has disclosed a critical OS command injection vulnerability in FortiSIEM that allows unauthenticated remote attackers to execute arbitrary code on affected systems. The flaw, tracked as CVE-2025-64155, was publicly announced on January 13, 2026 and affects the phMonitor component listening on TCP port 7900. Due to improper neutralization of special elements in OS commands (CWE-78), attackers can send specially crafted TCP requests to Super and Worker nodes, potentially leading to full system compromise. The vulnerability carries a CVSS v3.1 score (Critical) because it is network-accessible, requires no privileges, and needs no user interaction.
Successful exploitation could allow attackers to achieve remote code execution (RCE), steal sensitive SIEM data, install persistence mechanisms, and gain deep visibility into enterprise security operations. Since FortiSIEM is often deployed in hybrid and on-premises environments with access to critical infrastructure logs and alerts, a compromise could have severe operational and security consequences. The issue does not affect Collector nodes, but Super and Worker nodes remain exposed if TCP port 7900 is reachable from untrusted networks.
Multiple FortiSIEM branches are impacted. FortiSIEM Cloud and version 7.5 are not affected, while versions 7.4.0, 7.3.0–7.3.4, 7.2.0–7.2.6, and 7.1.0–7.1.8 require immediate upgrades to their fixed releases. Older branches including 7.0.x and 6.7.x must be migrated to supported versions. As a temporary mitigation, Fortinet recommends restricting access to TCP port 7900 using firewall rules until patches can be applied.
The vulnerability was responsibly disclosed by a security researcher under Fortinet’s coordinated disclosure program. The advisory is tracked internally as FG-IR-25-772, with NVD analysis still pending. Although there is currently no evidence of active exploitation, the unauthenticated nature of the flaw makes it highly attractive to attackers. Fortinet strongly advises organizations to audit logs for suspicious TCP/7900 activity, apply patches immediately, and enforce least-privilege network segmentation to reduce exposure of SIEM infrastructure.
Impact
- Sensitive Data Theft
- Code Execution
- Gain Access
Indicators of Compromise
CVE
CVE-2025-64155
Affected Vendors
Remediation
- Immediately upgrade FortiSIEM to a fixed version.
- Restrict access to TCP port 7900 using firewall rules and network ACLs so it is only reachable from trusted internal systems.
- Block external and untrusted network access to Super and Worker nodes
- Deploy network segmentation to isolate FortiSIEM management components from user and internet-facing networks.
- Monitor and audit logs for any suspicious or anomalous traffic targeting port 7900
- Enable intrusion detection and prevention rules to detect exploitation attempts against the phMonitor service.
- Review system integrity for signs of compromise, including unauthorized processes, files, and scheduled tasks.
- Apply the principle of least privilege to all FortiSIEM service accounts.
- Keep FortiSIEM and all dependent components on a regular patch management cycle
- Subscribe to Fortinet PSIRT advisories to stay informed about future security updates and fixes.