Security teams worldwide are facing active attacks targeting a newly disclosed Fortinet FortiSIEM vulnerability identified as CVE-2025-64155. Threat actors now exploit this flaw to remotely execute commands without authentication, giving attackers full control over vulnerable systems.
Several honeypot networks recently detected exploitation attempts coming from multiple global IP addresses, including 129.226.190.169, which matches activity seen in real-world attack campaigns.
This vulnerability carries a CVSS severity score of 9.4, making it one of the most dangerous Fortinet flaws reported this year.
What Is CVE-2025-64155?
CVE-2025-64155 is an OS command injection vulnerability affecting FortiSIEM Super and Worker nodes. Attackers can send specially crafted TCP requests to the appliance and execute system commands without logging in.
The flaw exists inside FortiSIEM’s phMonitor service, a backend process responsible for system health checks and Elasticsearch communications. This service listens on TCP port 7900 and exposes several command handlers without authentication.
When attackers abuse this weakness, they can:
- Write arbitrary files on the system
- Execute remote commands as an admin user
- Escalate privileges to root
- Take complete control of the appliance
Security researchers confirmed that attackers can overwrite a scheduled system script and trigger a reverse shell that runs automatically with root privileges.
Why This Vulnerability Is Dangerous
This vulnerability allows unauthenticated remote code execution, which removes any security barrier for attackers. Anyone with network access to the exposed port can launch an attack.
Attackers exploit argument injection in a vulnerable curl command inside the monitoring script. The flaw allows malicious file writes that attackers weaponize to establish persistent system access.
Once attackers reach root access, they can:
- Steal sensitive logs and credentials
- Modify system monitoring rules
- Disable alerts and security controls
- Move laterally across connected networks
- Deploy ransomware or persistent backdoors
Because FortiSIEM often monitors critical enterprise infrastructure, a compromise can affect an entire organization’s visibility and incident response capability.
Active Exploitation Detected in the Wild
Threat intelligence teams confirmed live exploitation attempts against this vulnerability in January 2026. Honeypots recorded multiple attacking IP addresses actively scanning and exploiting exposed systems.
Some of the observed attacker IPs include:
- 167.17.179.109
- 103.224.84.76
- 209.126.11.25
- 120.231.127.227
- 129.226.190.169
- 220.181.41.80
Affected FortiSIEM Versions
The vulnerability impacts multiple FortiSIEM releases. Fortinet confirmed the following affected versions:
| FortiSIEM Version | Status | Required Action |
|---|---|---|
| 6.7.0 – 6.7.10 | Affected | Migrate to fixed release |
| 7.0.0 – 7.0.4 | Affected | Migrate to fixed release |
| 7.1.0 – 7.1.8 | Affected | Upgrade to 7.1.9+ |
| 7.2.0 – 7.2.6 | Affected | Upgrade to 7.2.7+ |
| 7.3.0 – 7.3.4 | Affected | Upgrade to 7.3.5+ |
| 7.4.0 | Affected | Upgrade to 7.4.1+ |
| 7.5 | Not affected | No action needed |
| FortiSIEM Cloud | Not affected | No action needed |
How Attackers Exploit This Vulnerability
Attackers target the exposed phMonitor service over TCP port 7900. The service accepts crafted input that injects arguments into a shell command.
The exploit flow typically looks like this:
- The attacker connects to port 7900 remotely.
- The attacker sends a malicious TCP request.
- The vulnerable script passes attacker-controlled input into a curl command.
- The attacker writes a malicious file onto the system.
- A scheduled system task executes the file automatically.
- The attacker gains root-level access.
Because the service does not require authentication, attackers can perform these steps without credentials.
How to Check If Your System Is Exposed
Security teams should immediately verify the following:
- Confirm your FortiSIEM version from the admin console.
- Check if TCP port 7900 is exposed to external networks.
- Review logs located at:
/opt/phoenix/log/phoenix.log- Search for unusual URLs, payloads, or unexpected commands inside the logs.
- Monitor outbound network connections from the appliance.
Any unknown outbound traffic or unexpected file changes may indicate compromise.
See also: Microsoft Copilot Blamed for UK Police Intelligence Error After AI Hallucinates Fake Football Match
How to Fix CVE-2025-64155
Fortinet strongly recommends applying official patches immediately.
Step 1: Upgrade FortiSIEM
Upgrade to one of the following secure versions:
- 7.1.9 or later
- 7.2.7 or later
- 7.3.5 or later
- 7.4.1 or later
Older branches must migrate to a supported fixed release.
Step 2: Restrict Network Access
If you cannot patch immediately:
- Block external access to TCP port 7900 at the firewall.
- Allow only trusted internal IP ranges.
- Monitor logs continuously for suspicious activity.
Step 3: Validate System Integrity
- Scan for unauthorized files.
- Reset admin credentials if compromise is suspected.
- Review cron jobs and scheduled scripts.
- Reimage affected systems if attackers gained root access.
FAQs
What is FortiSIEM vulnerability CVE-2025-64155?
FortiSIEM vulnerability CVE-2025-64155 is a critical OS command injection flaw that allows unauthenticated attackers to execute remote commands on vulnerable FortiSIEM systems, potentially gaining full administrative and root access.
Is CVE-2025-64155 actively exploited?
Yes. Security researchers have confirmed active exploitation of FortiSIEM vulnerability CVE-2025-64155 in the wild, with attackers scanning exposed systems and attempting unauthorized remote code execution.
Which FortiSIEM versions are affected by CVE-2025-64155?
CVE-2025-64155 affects FortiSIEM versions 6.7.0 through 7.4.0 on Super and Worker nodes. FortiSIEM 7.5 and FortiSIEM Cloud are not affected.
How dangerous is FortiSIEM vulnerability CVE-2025-64155?
FortiSIEM vulnerability CVE-2025-64155 has a CVSS score of 9.4, making it a critical severity flaw. Attackers can exploit it without authentication and gain full control of affected systems.
What causes CVE-2025-64155 in FortiSIEM?
The vulnerability occurs in the phMonitor service, which improperly handles user input when executing system commands. Attackers can inject malicious arguments through crafted TCP requests and trigger remote code execution.
How can I check if my FortiSIEM system is vulnerable?
You can check your FortiSIEM version in the admin console and verify whether your system runs any affected releases. Also confirm whether TCP port 7900 is exposed externally and review system logs for suspicious activity.
How do I fix FortiSIEM vulnerability CVE-2025-64155?
To fix FortiSIEM vulnerability CVE-2025-64155, upgrade your system to FortiSIEM 7.4.1 or later, 7.3.5 or later, 7.2.7 or later, or 7.1.9 or later. Apply the latest Fortinet security patches immediately.
What temporary mitigation can reduce risk before patching?
If immediate patching is not possible, restrict network access to TCP port 7900 using firewall rules and allow only trusted internal IP addresses.
Can attackers gain full control of the FortiSIEM appliance?
Yes. Successful exploitation of CVE-2025-64155 allows attackers to escalate privileges to root, which gives them complete control over the FortiSIEM appliance.
How can I detect signs of exploitation on my system?
Check the phMonitor log file located at /opt/phoenix/log/phoenix.log for unusual payload URLs, suspicious commands, or unexpected file modifications. Monitor outbound traffic for unknown destinations.
CVE-2025-64155 represents a critical risk for organizations running vulnerable FortiSIEM versions. Active exploitation confirms that attackers are moving quickly to abuse this flaw.
Apply patches immediately, restrict network exposure, and audit your systems for signs of compromise. Rapid response can prevent attackers from gaining persistent control over your security infrastructure.
