Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2025-25256: FortiSIEM Flaw Enables Unauthenticated RCE
Aug 14, 2025
4 Mins Read
Jun 03, 2026
Moon

CVE-2025-25256: FortiSIEM Flaw Enables Unauthenticated RCE

A new critical vulnerability in Fortinet’s FortiSIEM platform is drawing urgent attention. With exploit code already circulating in the wild and the potential for full command injection without authentication, organizations using vulnerable versions need to act fast. Here’s a breakdown of what’s at stake and how to secure your systems.

What Is CVE-2025-25256?

CVE-2025-25256 (CVSS 9.8) is a newly disclosed vulnerability affecting Fortinet’s FortiSIEM, a security information and event management solution used widely for real-time monitoring and threat detection. The flaw is categorized as an OS command injection vulnerability (CWE-78).

The vulnerability stems from improper neutralization of special elements in CLI requests, potentially allowing unauthenticated remote attackers to execute arbitrary commands on affected systems. This makes it particularly dangerous, as exploitation can occur without any credentials.

CVE-2025-25256 (SOCRadar Vulnerability Intelligence)

CVE-2025-25256 (SOCRadar Vulnerability Intelligence)

Surge in Fortinet-Targeted Attacks

Recently, security firm GreyNoise reported a surge in brute-force attacks against Fortinet SSL VPNs, followed by activity targeting FortiManager. The timing suggests heightened interest in Fortinet systems from threat actors. GreyNoise notes such attack spikes often precede vulnerability disclosures.

Is a PoC Exploit Available for CVE-2025-25256?

Fortinet has confirmed that working exploit code for CVE-2025-25256 has been identified in the wild, making the situation far more critical than a theoretical flaw. The company did not disclose specific details about where or how the code was found, but also noted that exploitation may leave no distinctive Indicators of Compromise (IoCs).

SOCRadar’s Vulnerability Intelligence – New CVEs & Hacker Trends

SOCRadar’s Vulnerability Intelligence – New CVEs & Hacker Trends

SOCRadar’s Cyber Threat Intelligence module keeps your team informed on emerging threats before they escalate. With our platform’s Vulnerability Intelligence capabilities, you gain clear insight into the latest CVEs, active exploit activity, and evolving attacker tactics, enabling you to prioritize actions and reduce risk with confidence.

Which FortiSIEM Versions Are Affected by CVE-2025-25256?

A wide range of FortiSIEM versions are vulnerable, including multiple versions no longer receiving official support. Here’s a breakdown:

Unaffected: FortiSIEM 7.4

Require Upgrade:

  • 7.3.0 – 7.3.1 → upgrade to 7.3.2+
  • 7.2.0 – 7.2.5 → upgrade to 7.2.6+
  • 7.1.0 – 7.1.7 → upgrade to 7.1.8+
  • 7.0.0 – 7.0.3 → upgrade to 7.0.4+
  • 6.7.0 – 6.7.9 → upgrade to 6.7.10+

Require Migration to Supported Versions:

  • 6.6 and earlier (6.1–6.5, 5.4)

Systems running unsupported versions will not receive patches, increasing their long-term exposure unless migrated.

What Should You Do to Mitigate the Risk?

Fortinet advises upgrading to a fixed release based on your current FortiSIEM version. For those on unsupported legacy systems, migration is the only viable path forward.

As a temporary workaround: Organizations can limit access to the phMonitor port (7900) – a known entry point for exploit attempts. However, this should not be treated as a long-term fix, as it does not eliminate the underlying vulnerability.

Recommended Steps:

  • Identify the FortiSIEM version deployed in your environment.
  • Upgrade to:
    • 7.3.2 or later (if on 7.3.x)
    • 7.2.6 or later (if on 7.2.x)
    • 7.1.8 or later (if on 7.1.x)
    • 7.0.4 or later (if on 7.0.x)
    • 6.7.10 or later (if on 6.7.x)
  • Migrate from all 5.4 – 6.6 versions to supported releases.
  • Restrict network access to port 7900 as a temporary mitigation.
  • Monitor Fortinet’s official advisory for any updates or additional guidance.

Get the Full Picture of Your Digital Exposure with SOCRadar

Knowing what to fix starts with knowing what’s exposed. Many organizations overlook digital assets or outdated systems until attackers find them first. These blind spots can include forgotten servers, unpatched software, or misconfigured services that silently expand your attack surface.

Monitor assets and vulnerabilities with SOCRadar’s Attack Surface Management (ASM)

Monitor assets and vulnerabilities with SOCRadar’s Attack Surface Management (ASM)

SOCRadar’s Attack Surface Management (ASM) gives you that missing visibility. It continuously scans your external environment to uncover exposed assets, detect vulnerabilities, and flag risky misconfigurations. By combining ASM with timely intelligence on emerging threats, you can prioritize fixes, close gaps faster, and stay ahead of opportunistic attackers.

Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
Jun 03, 2026
SOCRadar® Cyber Intelligence Inc. | Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | TrapDoor: Malicious npm, PyPI, Crates.io Packages Target Developer Secrets & AI Tooling
TrapDoor: Malicious npm, PyPI, Crates.io Packages Target Developer Secrets & AI Tooling
May 25, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20223: Cisco Secure Workload Auth Bypass Grants Site Admin Access
CVE-2026-20223: Cisco Secure Workload Auth Bypass Grants Site Admin Access
May 22, 2026
Free Dark Web Report
Is your Domain Exposed? Find Out.