FortiSIEM’s critical wobble: patch first, tea later

Fortinet has disclosed a critical pre-auth command-injection flaw in FortiSIEM—CVE-2025-25256 (CVSS 9.8)—and says exploit code exists in the wild. The bug sits in the phMonitor process (port 7900), where inadequate input sanitisation can let an unauthenticated attacker run OS commands. Fortinet lists affected branches and fixed versions, notes there may be no clear IoCs, and advises restricting access to port 7900 as a workaround until patched. The alert coincides with a spike in brute-force traffic against Fortinet gear seen by researchers, underlining the urgency to update promptly.

Fortinet has sounded the alarm on a critical FortiSIEM vulnerability (CVE-2025-25256, CVSS 9.8) that attackers are actively exploiting. In plain English: someone can send a specially crafted request to FortiSIEM and make it run system commands—no login required. That’s not a feature. It’s a fire alarm.

What’s actually broken?
The issue sits in phMonitor, a FortiSIEM component listening on port 7900. Thanks to weak input checks, a malicious request can slip through and trigger OS command execution. Fortinet warns that tell-tale signs may be hard to spot, so don’t wait for the logs to spell it out.

Who’s affected?
Impacted and fixed versions (per Fortinet):
• 6.1–6.6 → migrate to a fixed release
• 6.7.0–6.7.9 → update to 6.7.10+
• 7.0.0–7.0.3 → update to 7.0.4+
• 7.1.0–7.1.7 → update to 7.1.8+
• 7.2.0–7.2.5 → update to 7.2.6+
• 7.3.0–7.3.1 → update to 7.3.2+
• 7.4 → not affected.

What should I do today?
1. Patch to the fixed build for your branch—immediately.
2. Until patched, restrict access to port 7900 (phMonitor) to trusted management hosts only.
3. Assume limited or no distinctive IoCs and review admin access, tokens and recent changes.

Why the hurry?
Researchers also spotted a brute-force surge against Fortinet devices around the same time. Whether related or not, it’s a good moment to tighten the hatches and verify controls.
Bottom line: get the update on, lock down port 7900, and then, only then, put the kettle on.