Public Exploit Released for Critical FortiSIEM Unauthenticated Command Injection (CVE-2025-25256)
Technical details and public exploit code were released for a critical Fortinet FortiSIEM vulnerability, CVE-2025-25256, that enables a remote, unauthenticated attacker to execute unauthorized OS commands/code via crafted TCP requests. Reporting attributes the issue to exposed command handlers on the phMonitor service that can be invoked without authentication, chaining an arbitrary write with elevated permissions and privilege escalation to achieve root access.
Fortinet has issued patches across affected FortiSIEM versions (reported as impacting 6.7 through 7.5) and stated that all vulnerable versions are now fixed, following earlier partial fixes across product branches. Researchers noted phMonitor has been a recurring entry point for prior FortiSIEM flaws (including CVE-2023-34992 and CVE-2024-23108) and warned that ransomware operators (e.g., Black Basta) have previously shown interest in FortiSIEM exploitation, increasing the likelihood of opportunistic targeting now that exploit code is public.
Related Entities
Vulnerabilities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
FortiSIEM Unauthenticated RCE via phMonitor OS Command Injection (CVE-2025-64155)
Fortinet disclosed and patched a **critical FortiSIEM OS command injection** vulnerability, **CVE-2025-64155** (CVSS **9.4**), that enables **unauthenticated remote code execution** via crafted TCP/CLI requests to the *phMonitor* service (default **port 7900**). Impact is reported on FortiSIEM **Super and Worker nodes** (Collector nodes reportedly not affected), with recommended upgrades to **7.4.1**, **7.3.5**, or **7.2.7**; a key mitigation is to **restrict network access to port 7900**. Technical analysis described an exploit chain in which attacker-controlled inputs in *phMonitor* requests can be leveraged for **argument injection** leading to **arbitrary file write and code execution** (initially as an admin-level context), followed by a **file overwrite privilege escalation to root**. Public exploit material is reported to be available, and the issue has drawn threat-actor interest (including references in leaked **Black Basta** chats), increasing the likelihood of opportunistic exploitation against exposed FortiSIEM deployments.
2 months ago
Active Exploitation of Critical Infrastructure Management RCE Flaws
Multiple maximum-severity vulnerabilities in enterprise infrastructure management products are being **actively exploited**, enabling unauthenticated remote code execution as `root` and creating high-impact initial access paths into data center and security operations environments. Reported exploitation includes mass, automated scanning and rapid weaponization following public disclosure and PoC availability, increasing the likelihood of opportunistic compromise, follow-on payload delivery, and lateral movement in affected networks. Fortinet *FortiSIEM* is reported as under active attack via **CVE-2024-23108**, an unauthenticated command-injection issue in the `phMonitor` component (noted as listening on TCP `8014`) that can yield full system compromise. Separately, Cisco *Secure Email Gateway* / *Secure Email and Web Manager* is reported as exploited via **CVE-2024-20353** (CVSS 10.0), with activity attributed to China-linked **UAT-9686** leveraging the Spam Quarantine interface to gain root execution and deploy custom malware for persistence and evasion. In parallel, Check Point-linked reporting describes **RondoDox** botnet-driven exploitation of HPE *OneView* **CVE-2025-37164** at scale (tens of thousands of attempts observed), consistent with an “exploit-shotgun” approach used to build botnets for DDoS, cryptomining, and secondary payload delivery; the surge coincided with the flaw’s addition to CISA’s known-exploited list.
1 months agoActive Exploitation of FortiWeb Command Injection Vulnerability (CVE-2025-58034)
Attackers are actively exploiting a command injection vulnerability in Fortinet FortiWeb, tracked as CVE-2025-58034, which allows authenticated users to execute unauthorized code on affected systems. The flaw, caused by improper neutralization of special elements in the `policy_scripting_post_handler` method, enables code execution as root via crafted HTTP requests or CLI commands. Fortinet released patches for affected FortiWeb versions between October 23 and 31, 2025, but did not publicly disclose the vulnerability at the time. The issue was privately reported by a Trend Micro researcher, and both Fortinet and CISA have confirmed active exploitation, with CISA adding the CVE to its Known Exploited Vulnerabilities catalog and mandating rapid remediation for US federal agencies. Security researchers warn that proof-of-concept code for CVE-2025-58034 may soon be publicly available, increasing the risk of widespread attacks. There is currently no workaround for this vulnerability, and organizations are urged to upgrade to the fixed FortiWeb versions immediately and check for signs of compromise. The vulnerability requires authentication to exploit, but successful exploitation grants attackers root-level access. The disclosure timeline shows the vulnerability was reported in June 2025 and publicly disclosed in November 2025, with coordinated advisories from both Fortinet and the Zero Day Initiative.
3 months ago