Public Exploit Released for Critical FortiSIEM Unauthenticated Command Injection (CVE-2025-25256)
Technical details and public exploit code were released for a critical Fortinet FortiSIEM vulnerability, CVE-2025-25256, that enables a remote, unauthenticated attacker to execute unauthorized OS commands/code via crafted TCP requests. Reporting attributes the issue to exposed command handlers on the phMonitor service that can be invoked without authentication, chaining an arbitrary write with elevated permissions and privilege escalation to achieve root access.
Fortinet has issued patches across affected FortiSIEM versions (reported as impacting 6.7 through 7.5) and stated that all vulnerable versions are now fixed, following earlier partial fixes across product branches. Researchers noted phMonitor has been a recurring entry point for prior FortiSIEM flaws (including CVE-2023-34992 and CVE-2024-23108) and warned that ransomware operators (e.g., Black Basta) have previously shown interest in FortiSIEM exploitation, increasing the likelihood of opportunistic targeting now that exploit code is public.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Horizon3.ai publishes technical analysis and public exploit code
Horizon3.ai released a detailed write-up and demonstrative public exploit for CVE-2025-25256 after Fortinet published fixes. The researchers also shared indicators of compromise, relevant log locations, and noted that restricting access to phMonitor port 7900 can help mitigate exposure.
Fortinet releases fixes and security advisory for CVE-2025-25256
After receiving the report, Fortinet issued patches and a security advisory for the critical FortiSIEM OS command injection bug across supported branches. Fortinet said FortiSIEM 7.5 and FortiSIEM Cloud are not affected, while unsupported versions 7.0 and 6.7.0 remain unpatched.
Horizon3.ai reports FortiSIEM command injection flaw to Fortinet
Horizon3.ai discovered and reported the FortiSIEM vulnerability later assigned CVE-2025-25256 to Fortinet in mid-August 2025. The flaw allows unauthenticated command execution through crafted TCP requests to the phMonitor service.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
FortiSIEM Unauthenticated RCE via phMonitor OS Command Injection (CVE-2025-64155)
Fortinet disclosed and patched a **critical FortiSIEM OS command injection** vulnerability, **CVE-2025-64155** (CVSS **9.4**), that enables **unauthenticated remote code execution** via crafted TCP/CLI requests to the *phMonitor* service (default **port 7900**). Impact is reported on FortiSIEM **Super and Worker nodes** (Collector nodes reportedly not affected), with recommended upgrades to **7.4.1**, **7.3.5**, or **7.2.7**; a key mitigation is to **restrict network access to port 7900**. Technical analysis described an exploit chain in which attacker-controlled inputs in *phMonitor* requests can be leveraged for **argument injection** leading to **arbitrary file write and code execution** (initially as an admin-level context), followed by a **file overwrite privilege escalation to root**. Public exploit material is reported to be available, and the issue has drawn threat-actor interest (including references in leaked **Black Basta** chats), increasing the likelihood of opportunistic exploitation against exposed FortiSIEM deployments.
Mar 21, 2026
Active Exploitation of Critical Infrastructure Management RCE Flaws
Multiple maximum-severity vulnerabilities in enterprise infrastructure management products are being **actively exploited**, enabling unauthenticated remote code execution as `root` and creating high-impact initial access paths into data center and security operations environments. Reported exploitation includes mass, automated scanning and rapid weaponization following public disclosure and PoC availability, increasing the likelihood of opportunistic compromise, follow-on payload delivery, and lateral movement in affected networks. Fortinet *FortiSIEM* is reported as under active attack via **CVE-2024-23108**, an unauthenticated command-injection issue in the `phMonitor` component (noted as listening on TCP `8014`) that can yield full system compromise. Separately, Cisco *Secure Email Gateway* / *Secure Email and Web Manager* is reported as exploited via **CVE-2024-20353** (CVSS 10.0), with activity attributed to China-linked **UAT-9686** leveraging the Spam Quarantine interface to gain root execution and deploy custom malware for persistence and evasion. In parallel, Check Point-linked reporting describes **RondoDox** botnet-driven exploitation of HPE *OneView* **CVE-2025-37164** at scale (tens of thousands of attempts observed), consistent with an “exploit-shotgun” approach used to build botnets for DDoS, cryptomining, and secondary payload delivery; the surge coincided with the flaw’s addition to CISA’s known-exploited list.
Mar 21, 2026
Active Exploitation of FortiWeb Command Injection Vulnerability (CVE-2025-58034)
Attackers are actively exploiting a command injection vulnerability in Fortinet FortiWeb, tracked as CVE-2025-58034, which allows authenticated users to execute unauthorized code on affected systems. The flaw, caused by improper neutralization of special elements in the `policy_scripting_post_handler` method, enables code execution as root via crafted HTTP requests or CLI commands. Fortinet released patches for affected FortiWeb versions between October 23 and 31, 2025, but did not publicly disclose the vulnerability at the time. The issue was privately reported by a Trend Micro researcher, and both Fortinet and CISA have confirmed active exploitation, with CISA adding the CVE to its Known Exploited Vulnerabilities catalog and mandating rapid remediation for US federal agencies. Security researchers warn that proof-of-concept code for CVE-2025-58034 may soon be publicly available, increasing the risk of widespread attacks. There is currently no workaround for this vulnerability, and organizations are urged to upgrade to the fixed FortiWeb versions immediately and check for signs of compromise. The vulnerability requires authentication to exploit, but successful exploitation grants attackers root-level access. The disclosure timeline shows the vulnerability was reported in June 2025 and publicly disclosed in November 2025, with coordinated advisories from both Fortinet and the Zero Day Initiative.
Mar 21, 2026