Full Report
Fortinet has released updates to fix a critical security flaw impacting FortiSIEM that could allow an unauthenticated attacker to achieve code execution on susceptible instances. The operating system (OS) injection vulnerability, tracked as CVE-2025-64155, is rated 9.4 out of 10.0 on the CVSS scoring system. "An improper neutralization of special elements used in an OS command ('OS command
Analysis Summary
# Vulnerability: Unauthenticated OS Command Injection Leading to Remote Code Execution in FortiSIEM
## CVE Details
- CVE ID: CVE-2025-64155
- CVSS Score: 9.4 (Critical)
- CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command) or related Command Injection issues.
## Affected Systems
- Products: FortiSIEM (Super and Worker nodes)
- Versions:
- 6.7.0 through 6.7.10 (Migrate to fixed release)
- 7.0.0 through 7.0.4 (Migrate to fixed release)
- 7.1.0 through 7.1.8 (Upgrade to 7.1.9 or above)
- 7.2.0 through 7.2.6 (Upgrade to 7.2.7 or above)
- 7.3.0 through 7.3.4 (Upgrade to 7.3.5 or above)
- 7.4.0 (Upgrade to 7.4.1 or above)
- Configurations: Affects Super and Worker nodes accessible over the network on port 7900. FortiSIEM 7.5 and FortiSIEM Cloud are reported as not affected.
## Vulnerability Description
The vulnerability is an OS command injection flaw residing in the `phMonitor` service, a backend process responsible for health monitoring and inter-node communication over TCP port 7900. This service exposes unauthenticated command handlers. An unauthenticated attacker can exploit an improper neutralization of command arguments when handling requests related to logging security events to Elasticsearch. This results in **argument injection via `curl`**, leading to two stages of compromise:
1. **Arbitrary File Write:** Achieves remote code execution as the **admin user**.
2. **Privilege Escalation:** By exploiting the file write to overwrite the script located at `/opt/charting/redishb.sh` (executed by root via cron job every minute), the attacker achieves **root access** and full appliance compromise.
## Exploitation
- Status: PoC available (Discovered and reported by Zach Hanley of Horizon3.ai)
- Complexity: Low (Can be triggered over the network without authentication by reaching port 7900)
- Attack Vector: Network
## Impact
- Confidentiality: High (Potential for full system takeover)
- Integrity: High (Ability to execute arbitrary commands and elevate privileges to root)
- Availability: High (Full compromise of the appliance)
## Remediation
### Patches
Upgrade to the following fixed versions:
- FortiSIEM 7.1.9 or above
- FortiSIEM 7.2.7 or above
- FortiSIEM 7.3.5 or above
- FortiSIEM 7.4.1 or above
- For versions 6.7.x and 7.0.x, migrate to a fixed release (specific streams are not detailed but migration is recommended).
### Workarounds
Limit network access to the `phMonitor` port (TCP 7900) to trusted sources only.
## Detection
- Indicators of Compromise: Monitoring for attempts to execute commands or write files via the `phMonitor` service on port 7900. Specifically, look for connection attempts on TCP/7900 followed by indicators of `curl` command injection attempts or modifications to `/opt/charting/redishb.sh`.
- Detection Methods and Tools: Network monitoring and intrusion detection systems configured to inspect traffic on TCP port 7900 for anomalous command execution payloads.
## References
- Vendor Advisory: hxxps://www.fortiguard.com/psirt/FG-IR-25-772
- Researcher Disclosure: hxxps://horizon3.ai/attack-research/disclosures/cve-2025-64155-three-years-of-remotely-rooting-the-fortinet-fortisiem/