Jun 10, 2026
Table Of Content
CVE-2025-64155: Critical FortiSIEM Flaw Allows Remote Root Access
What Is CVE-2025-64155?
Which FortiSIEM Components and Versions Are Affected?
How Does CVE-2025-64155 Work?
How Does CVE-2025-64155 Enable Full System Compromise?
Is There Evidence of Active Exploitation?
What Mitigation Steps Should Organizations Take?
Related Articles
Ivanti Sentry’s CVE-2026-10520 Enables Root RCE
What Do You Need to Know About Claude Fable 5?
Jun 10, 2026
Jan 15, 2026
5 Mins Read
Jun 03, 2026
CVE-2025-64155: Critical FortiSIEM Flaw Allows Remote Root Access
Fortinet has released security updates addressing a critical vulnerability in its FortiSIEM platform that allows unauthenticated remote attackers to execute arbitrary code on affected systems. Tracked as CVE-2025-64155, the flaw impacts specific FortiSIEM deployments.
While Fortinet has issued patches and guidance, the technical depth of the vulnerability and the availability of a Proof-of-Concept (PoC) exploit make it important for defenders to understand what is at stake.
What Is CVE-2025-64155?
CVE-2025-64155 (CVSS 9.8) is an unauthenticated OS command injection vulnerability, originating from how a core FortiSIEM service handles incoming network requests. Due to improper neutralization of special elements in operating system commands, attackers can send crafted TCP requests that trigger unauthorized command execution.
The vulnerability does not require valid credentials, which significantly raises its severity. Any attacker who can reach the affected service over the network may be able to exploit it, making exposure a key risk factor. As a result, successful exploitation could lead to full compromise of the affected FortiSIEM system.
Details of CVE-2025-64155 (SOCRadar Vulnerability Intelligence)
Which FortiSIEM Components and Versions Are Affected?
The vulnerability affects FortiSIEM Super and Worker nodes, but does not impact Collector nodes. FortiSIEM Cloud deployments and FortiSIEM version 7.5 are not affected.
Affected versions include:
- FortiSIEM 6.7.0 through 6.7.10
- FortiSIEM 7.0.0 through 7.0.4
- FortiSIEM 7.1.0 through 7.1.8
- FortiSIEM 7.2.0 through 7.2.6
- FortiSIEM 7.3.0 through 7.3.4
- FortiSIEM 7.4.0
Fortinet advises customers to upgrade to fixed releases or migrate to supported versions as outlined in its security advisory.
How Does CVE-2025-64155 Work?
The root cause lies in the phMonitor service, a backend FortiSIEM component used for health monitoring, task coordination, and inter-node communication. This service listens on TCP port 7900 and exposes multiple command handlers.
Researchers found that several of these handlers can be invoked without authentication. By crafting specific requests, an attacker can influence how FortiSIEM constructs and executes system-level commands. While recent hardening efforts reduced direct command injection, the research demonstrated that argument injection was still possible under certain conditions.
By abusing how a system script invokes curl with user-controlled input, an attacker can write arbitrary files to disk in the context of the admin user. This behavior forms the basis for Remote Code Execution (RCE).
How CVE-2025-64155 works
How Does CVE-2025-64155 Enable Full System Compromise?
The impact of the vulnerability extends beyond admin-level access. Once an attacker gains the ability to write arbitrary files, they can leverage a privilege escalation condition present on the appliance.
A specific script on the FortiSIEM system is writable by the admin user but executed automatically by a root-level cron job. By overwriting this script with a malicious payload, an attacker can escalate privileges from admin to root without exploiting a separate vulnerability.
This attack chain enables complete compromise of the FortiSIEM appliance, granting full control over the system and its data.
Is There Evidence of Active Exploitation?
At the time of disclosure, there are no reports of exploitation. However, a Proof-of-Concept (PoC) exploit is available, demonstrating how the vulnerability can be abused by a remote, unauthenticated attacker.
Additionally, prior FortiSIEM vulnerabilities have appeared in leaked ransomware group communications, suggesting ongoing attacker interest in this attack surface even if widespread exploitation has not yet been confirmed.
What Mitigation Steps Should Organizations Take?
The primary remediation step is to upgrade affected FortiSIEM deployments to patched versions provided by Fortinet. Where immediate patching is not feasible, organizations should restrict network access to the phMonitor service on TCP port 7900.
In addition to applying patches, organizations should maintain clear visibility into newly disclosed vulnerabilities and externally exposed assets. SOCRadar’s Cyber Threat Intelligence and Attack Surface Management modules help security teams track newly disclosed CVEs, identify exposed and vulnerable systems, and prioritize remediation based on real-world threat activity, enabling faster and more informed response decisions.
SOCRadar Vulnerability Intelligence: Track latest CVEs & exploitation trends
Security teams should also review FortiSIEM logs for signs of abnormal phMonitor activity, such as unexpected URLs or file write attempts.
Example malicious activity in logs (Horizon3.ai)
Given FortiSIEM’s role as a central security monitoring platform, maintaining its integrity is essential to ensure reliable detection and response capabilities.
