FortiSIEM Unauthenticated RCE via phMonitor OS Command Injection (CVE-2025-64155)
Fortinet disclosed and patched a critical FortiSIEM OS command injection vulnerability, CVE-2025-64155 (CVSS 9.4), that enables unauthenticated remote code execution via crafted TCP/CLI requests to the phMonitor service (default port 7900). Impact is reported on FortiSIEM Super and Worker nodes (Collector nodes reportedly not affected), with recommended upgrades to 7.4.1, 7.3.5, or 7.2.7; a key mitigation is to restrict network access to port 7900.
Technical analysis described an exploit chain in which attacker-controlled inputs in phMonitor requests can be leveraged for argument injection leading to arbitrary file write and code execution (initially as an admin-level context), followed by a file overwrite privilege escalation to root. Public exploit material is reported to be available, and the issue has drawn threat-actor interest (including references in leaked Black Basta chats), increasing the likelihood of opportunistic exploitation against exposed FortiSIEM deployments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Defused detects active exploitation of CVE-2025-64155 in honeypots
By 2026-01-15, Defused reported seeing targeted exploitation attempts against CVE-2025-64155 through honeypot deployments. The observed attacks followed public disclosure and PoC release, indicating the FortiSIEM flaw had moved from patch-only status to active abuse.
Horizon3.ai publishes technical analysis and PoC for CVE-2025-64155
On 2026-01-13, Horizon3.ai released a technical write-up and proof-of-concept exploit for CVE-2025-64155 after privately reporting the issue to Fortinet. The research described how unauthenticated argument injection in the phMonitor service could be used for arbitrary file write, admin-level code execution, and escalation to root, and included indicators of compromise and log-hunting guidance.
Fortinet releases advisory and patches for CVE-2025-64155 and other flaws
On 2026-01-13, Fortinet published advisory FG-IR-25-772 and released fixes for the critical FortiSIEM command injection flaw CVE-2025-64155, along with other vulnerabilities including the critical FortiFone Web Portal information disclosure bug CVE-2025-47855. Fortinet provided affected version details, upgrade guidance, and a workaround to restrict access to the phMonitor service on TCP port 7900.
Fortinet observes exploitation of CVE-2025-25256 in the wild
In August 2025, Fortinet issued an advisory for CVE-2025-25256, a FortiSIEM OS command injection flaw reachable via crafted CLI requests. The company said exploitation had been observed in the wild, and later research into this issue led to discovery of a related exploit chain tracked as CVE-2025-64155.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
13 references tracked. Mallory keeps watching after this page renders.
Hackers now exploiting critical Fortinet FortiSIEM flaw in attacks
bleepingcomputer.com
Open sourceCVE-2025-64155: FortiSIEM | Arctic Wolf
arcticwolf.com
Open sourceFortinet patches critical FortiSIEM vulnerability allowing code execution | SC Media
scworld.com
Open sourceCVE-2025-64155 | Arctic Wolf
arcticwolf.com
Open sourceCritical FortiSIEM Vulnerability Enable Full RCE and Root Compromise
cybersecuritynews.com
Open sourceFortinet Critical Alert: CVE-2025-64155 RCE & Config Leaks Exposed
securityonline.info
Open sourceFortinet fixed two critical flaws in FortiFone and FortiSIEM
securityaffairs.com
Open sourceFortinet fixed two critical flaws in FortiFone and FortiSIEM
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Public Exploit Released for Critical FortiSIEM Unauthenticated Command Injection (CVE-2025-25256)
Technical details and public exploit code were released for a **critical Fortinet FortiSIEM** vulnerability, **CVE-2025-25256**, that enables a **remote, unauthenticated attacker** to execute unauthorized OS commands/code via crafted TCP requests. Reporting attributes the issue to exposed command handlers on the `phMonitor` service that can be invoked without authentication, chaining an arbitrary write with elevated permissions and privilege escalation to achieve **root** access. Fortinet has issued patches across affected FortiSIEM versions (reported as impacting **6.7 through 7.5**) and stated that all vulnerable versions are now fixed, following earlier partial fixes across product branches. Researchers noted `phMonitor` has been a recurring entry point for prior FortiSIEM flaws (including **CVE-2023-34992** and **CVE-2024-23108**) and warned that ransomware operators (e.g., **Black Basta**) have previously shown interest in FortiSIEM exploitation, increasing the likelihood of opportunistic targeting now that exploit code is public.
Mar 21, 2026
Active Exploitation of Critical Infrastructure Management RCE Flaws
Multiple maximum-severity vulnerabilities in enterprise infrastructure management products are being **actively exploited**, enabling unauthenticated remote code execution as `root` and creating high-impact initial access paths into data center and security operations environments. Reported exploitation includes mass, automated scanning and rapid weaponization following public disclosure and PoC availability, increasing the likelihood of opportunistic compromise, follow-on payload delivery, and lateral movement in affected networks. Fortinet *FortiSIEM* is reported as under active attack via **CVE-2024-23108**, an unauthenticated command-injection issue in the `phMonitor` component (noted as listening on TCP `8014`) that can yield full system compromise. Separately, Cisco *Secure Email Gateway* / *Secure Email and Web Manager* is reported as exploited via **CVE-2024-20353** (CVSS 10.0), with activity attributed to China-linked **UAT-9686** leveraging the Spam Quarantine interface to gain root execution and deploy custom malware for persistence and evasion. In parallel, Check Point-linked reporting describes **RondoDox** botnet-driven exploitation of HPE *OneView* **CVE-2025-37164** at scale (tens of thousands of attempts observed), consistent with an “exploit-shotgun” approach used to build botnets for DDoS, cryptomining, and secondary payload delivery; the surge coincided with the flaw’s addition to CISA’s known-exploited list.
Mar 21, 2026
Unauthenticated RCE in FortiClient EMS via SQL Injection (CVE-2026-21643)
Fortinet issued a critical advisory for *FortiClient Enterprise Management Server (EMS)* warning that **CVE-2026-21643** enables **unauthenticated remote code execution** via an **SQL injection** flaw (`CWE-89`) in the product’s **GUI/web interface**. By sending specially crafted HTTP requests that exploit insufficient input sanitization, an external attacker could execute arbitrary code or unauthorized commands on the EMS server without valid credentials, potentially turning a central endpoint-management platform into a foothold for broader compromise. The issue is reported as affecting the **7.4** line, with **FortiClientEMS 7.4.4** explicitly called out as vulnerable; Fortinet’s recommended remediation is to **upgrade to 7.4.5 or later**. Fortinet also stated that the **8.0** and **7.2** branches are **not affected**, and an updated note indicated **FortiEMS Cloud/SaaS instances are not impacted**, narrowing immediate exposure primarily to on-prem deployments running the affected version.
Mar 21, 2026