top of page
perceptive_background_267k.jpg

Fortinet Fixes Critical FortiSIEM Flaw Allowing Unauthenticated Remote Code Execution

Published:

14 January 2026 at 11:53:00

Alert date:

14 January 2026 at 13:07:04

Source:

thehackernews.com

Click to open the original link from this advisory

Security Tools, Zero-Day Vulnerabilities

Fortinet has released updates to fix a critical security flaw in FortiSIEM that could allow unauthenticated attackers to achieve remote code execution. The vulnerability, tracked as CVE-2025-64155, is an OS command injection flaw with a CVSS score of 9.4 out of 10.0. The flaw is caused by improper neutralization of special elements used in OS commands, allowing attackers to execute arbitrary code on vulnerable FortiSIEM instances without authentication. This represents a significant security risk for organizations using FortiSIEM for security information and event management.

Technical details

The vulnerability is an OS command injection flaw (CWE-78) affecting the phMonitor service in FortiSIEM. The phMonitor service handles health monitoring, task distribution, and inter-node communication via TCP port 7900. The flaw involves two components: an unauthenticated argument injection vulnerability leading to arbitrary file write allowing remote code execution as admin user, and a file overwrite privilege escalation vulnerability leading to root access. The attack exploits how phMonitor handles requests related to logging security events to Elasticsearch, invoking shell scripts with user-controlled parameters. This enables argument injection via curl, achieving arbitrary file writes. Attackers can write a reverse shell to /opt/charting/redishb.sh, which is executed every minute by a root-level cron job, enabling privilege escalation from admin to root.

Mitigation steps:

Upgrade FortiSIEM 7.1.0 through 7.1.8 to 7.1.9 or above
Upgrade FortiSIEM 7.2.0 through 7.2.6 to 7.2.7 or above
Upgrade FortiSIEM 7.3.0 through 7.3.4 to 7.3.5 or above
Upgrade FortiSIEM 7.4.0 to 7.4.1 or above
Migrate FortiSIEM 6.7.0 through 6.7.10 to a fixed release
Migrate FortiSIEM 7.0.0 through 7.0.4 to a fixed release
Upgrade FortiFone 3.0.13 through 3.0.23 to 3.0.24 or above
Upgrade FortiFone 7.0.0 through 7.0.1 to 7.0.2 or above
As a workaround, limit access to the phMonitor port (7900)

Affected products:

FortiSIEM 6.7.0 through 6.7.10
FortiSIEM 7.0.0 through 7.0.4
FortiSIEM 7.1.0 through 7.1.8
FortiSIEM 7.2.0 through 7.2.6
FortiSIEM 7.3.0 through 7.3.4
FortiSIEM 7.4.0
FortiFone 3.0.13 through 3.0.23
FortiFone 7.0.0 through 7.0.1

Related links:

https://www.fortiguard.com/psirt/FG-IR-25-772
https://horizon3.ai/attack-research/disclosures/cve-2025-64155-three-years-of-remotely-rooting-the-fortinet-fortisiem/
https://thehackernews.com/2025/08/fortinet-warns-about-fortisiem.html
https://docs.fortinet.com/document/fortisiem/7.5.0/user-guide/174517/viewing-cloud-health
https://www.fortiguard.com/psirt/FG-IR-25-260

Related CVE's:

Related threat actors:

IOC's:

TCP port 7900, /opt/charting/redishb.sh

This article was created with the assistance of AI technology by Perceptive.

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page