Skip to main content
Mallory
Mallory

FortiSIEM Unauthenticated RCE via phMonitor OS Command Injection (CVE-2025-64155)

FortiSIEMOS command injectionCVSS 9.4Fortinetcommand injectionprivilege escalationremote code executionpublic exploitphMonitorunauthenticatedvulnerabilityRCEport 7900CLIargument injection
Updated January 16, 2026 at 02:03 PM13 sources
FortiSIEM Unauthenticated RCE via phMonitor OS Command Injection (CVE-2025-64155)

Get Ahead of Threats Like This

Know if you're exposed — before adversaries strike.

Fortinet disclosed and patched a critical FortiSIEM OS command injection vulnerability, CVE-2025-64155 (CVSS 9.4), that enables unauthenticated remote code execution via crafted TCP/CLI requests to the phMonitor service (default port 7900). Impact is reported on FortiSIEM Super and Worker nodes (Collector nodes reportedly not affected), with recommended upgrades to 7.4.1, 7.3.5, or 7.2.7; a key mitigation is to restrict network access to port 7900.

Technical analysis described an exploit chain in which attacker-controlled inputs in phMonitor requests can be leveraged for argument injection leading to arbitrary file write and code execution (initially as an admin-level context), followed by a file overwrite privilege escalation to root. Public exploit material is reported to be available, and the issue has drawn threat-actor interest (including references in leaked Black Basta chats), increasing the likelihood of opportunistic exploitation against exposed FortiSIEM deployments.

Related Entities

Vulnerabilities

Unauthenticated OS command injection RCE in Fortinet FortiSIEM phMonitor (TCP/7900) (CVE-2025-64155)OS command injection in Fortinet FortiSIEM (crafted API requests) (CVE-2023-34992)Unauthenticated OS command injection in Fortinet FortiSIEM (phMonitor) (CVE-2025-25256)OS command injection in Fortinet (crafted API requests) (CVE-2024-23109)Unauthenticated OS command injection in Fortinet FortiSIEM phMonitor (CVE-2024-23108) (CVE-2024-23108)Authenticated SQL Injection in Fortinet FortiClientEMS (CVE-2025-59922)Heap-based buffer overflow in Fortinet FortiOS / FortiSwitchManager cw_acd daemon (CVE-2025-25249)Unauthenticated device configuration disclosure in Fortinet FortiFone Web Portal (CVE-2025-47855)SSRF in Fortinet FortiSandbox GUI (plaintext internal request proxy) (CVE-2025-67685)Unauthenticated RCE via stack-based buffer overflow in Fortinet FortiVoice/FortiMail/FortiNDR/FortiRecorder/FortiCamera (hash cookie) (CVE-2025-32756)FortiOS/FortiProxy SSL-VPN Heap-Based Buffer Overflow RCE (CVE-2022-42475)FortiOS/FortiProxy SSL-VPN Heap-Based Buffer Overflow RCE (CVE-2023-27997)Privileged arbitrary file deletion via path traversal in Fortinet FortiVoice (7.2.0-7.2.2, 7.0.0-7.0.7) (CVE-2025-58693)Authentication bypass and administrative takeover in Fortinet FortiWeb (CVE-2025-64446)Authenticated OS command injection in Fortinet FortiWeb API/CLI (CVE-2025-58034) (CVE-2025-58034)Authentication Bypass in FortiOS and FortiProxy Node.js WebSocket Management Interface (CVE-2024-55591)Authentication bypass in Fortinet FortiOS/FortiProxy/FortiSwitchManager administrative interface (HTTP/HTTPS) (CVE-2022-40684)RCE in Fortinet FortiOS and FortiProxy SSL-VPN (CVE-2024-21762) (CVE-2024-21762)Unauthenticated RCE in Zoho ManageEngine SAML SSO via Apache Santuario xmlsec (CVE-2022-47966)

Threat Actors

Volt Typhoon

Malware

COATHANGERBlack Basta

Organizations

FortinetThe Hacker NewsRedditSecure-ISSeSentireHorizon3.aiTenableBleepingComputerDefusedTrend Micro

Affected Products

Fortisiem

Sources

bleeping computer
Hackers now exploiting critical Fortinet FortiSIEM flaw in attacks
January 16, 2026 at 10:29 AM
arctic wolf blog
CVE-2025-64155: FortiSIEM | Arctic Wolf
January 15, 2026 at 07:07 PM
scworld
Fortinet patches critical FortiSIEM vulnerability allowing code execution | SC Media
January 15, 2026 at 06:30 PM
arctic wolf blog
CVE-2025-64155 | Arctic Wolf
January 15, 2026 at 05:35 PM
cyber security news
Fortinet FortiSIEM Vulnerability CVE-2025-64155 Actively Exploited in Attacks
January 15, 2026 at 05:09 PM

5 more from sources like horizon3 blog, help net security, rescana blog, tenable blog and cyber security news

Related Stories

Public Exploit Released for Critical FortiSIEM Unauthenticated Command Injection (CVE-2025-25256)

Public Exploit Released for Critical FortiSIEM Unauthenticated Command Injection (CVE-2025-25256)

Technical details and public exploit code were released for a **critical Fortinet FortiSIEM** vulnerability, **CVE-2025-25256**, that enables a **remote, unauthenticated attacker** to execute unauthorized OS commands/code via crafted TCP requests. Reporting attributes the issue to exposed command handlers on the `phMonitor` service that can be invoked without authentication, chaining an arbitrary write with elevated permissions and privilege escalation to achieve **root** access. Fortinet has issued patches across affected FortiSIEM versions (reported as impacting **6.7 through 7.5**) and stated that all vulnerable versions are now fixed, following earlier partial fixes across product branches. Researchers noted `phMonitor` has been a recurring entry point for prior FortiSIEM flaws (including **CVE-2023-34992** and **CVE-2024-23108**) and warned that ransomware operators (e.g., **Black Basta**) have previously shown interest in FortiSIEM exploitation, increasing the likelihood of opportunistic targeting now that exploit code is public.

2 months ago
Active Exploitation of Critical Infrastructure Management RCE Flaws

Active Exploitation of Critical Infrastructure Management RCE Flaws

Multiple maximum-severity vulnerabilities in enterprise infrastructure management products are being **actively exploited**, enabling unauthenticated remote code execution as `root` and creating high-impact initial access paths into data center and security operations environments. Reported exploitation includes mass, automated scanning and rapid weaponization following public disclosure and PoC availability, increasing the likelihood of opportunistic compromise, follow-on payload delivery, and lateral movement in affected networks. Fortinet *FortiSIEM* is reported as under active attack via **CVE-2024-23108**, an unauthenticated command-injection issue in the `phMonitor` component (noted as listening on TCP `8014`) that can yield full system compromise. Separately, Cisco *Secure Email Gateway* / *Secure Email and Web Manager* is reported as exploited via **CVE-2024-20353** (CVSS 10.0), with activity attributed to China-linked **UAT-9686** leveraging the Spam Quarantine interface to gain root execution and deploy custom malware for persistence and evasion. In parallel, Check Point-linked reporting describes **RondoDox** botnet-driven exploitation of HPE *OneView* **CVE-2025-37164** at scale (tens of thousands of attempts observed), consistent with an “exploit-shotgun” approach used to build botnets for DDoS, cryptomining, and secondary payload delivery; the surge coincided with the flaw’s addition to CISA’s known-exploited list.

1 months ago
Unauthenticated RCE in FortiClient EMS via SQL Injection (CVE-2026-21643)

Unauthenticated RCE in FortiClient EMS via SQL Injection (CVE-2026-21643)

Fortinet issued a critical advisory for *FortiClient Enterprise Management Server (EMS)* warning that **CVE-2026-21643** enables **unauthenticated remote code execution** via an **SQL injection** flaw (`CWE-89`) in the product’s **GUI/web interface**. By sending specially crafted HTTP requests that exploit insufficient input sanitization, an external attacker could execute arbitrary code or unauthorized commands on the EMS server without valid credentials, potentially turning a central endpoint-management platform into a foothold for broader compromise. The issue is reported as affecting the **7.4** line, with **FortiClientEMS 7.4.4** explicitly called out as vulnerable; Fortinet’s recommended remediation is to **upgrade to 7.4.5 or later**. Fortinet also stated that the **8.0** and **7.2** branches are **not affected**, and an updated note indicated **FortiEMS Cloud/SaaS instances are not impacted**, narrowing immediate exposure primarily to on-prem deployments running the affected version.

1 months ago

Get Ahead of Threats Like This

Mallory continuously monitors global threat intelligence and correlates it with your attack surface. Know if you're exposed — before adversaries strike.