FortiSIEM gets an urgent fix for unauthenticated RCE
Fortinet patched CVE-2025-64155 (CVSS 9.4), an OS command injection in FortiSIEM’s phMonitor service (TCP 7900) that allows unauthenticated RCE on Super/Worker nodes. The flaw enables argument injection leading to arbitrary file write and privilege escalation to root via a cron-executed script path. A PoC was released by Horizon3.ai; honeypots show active targeting. Fixed versions are available across 6.7–7.4 lines; 7.5 and FortiSIEM Cloud are not affected. Recommended: upgrade and restrict access to port 7900.
Fortinet has addressed a serious bug, CVE-2025-64155 (CVSS 9.4), in FortiSIEM. The issue sits in phMonitor, the backend service that shuttles tasks and status between nodes over TCP 7900. Crafted requests can trigger argument injection, write files as the admin user, and escalate to root, handing an attacker the keys to your SIEM. A public PoC is out, and honeypots have seen opportunistic probing—so this one deserves your immediate attention.
Who’s affected and what to do
Super/Worker nodes on 6.7–7.4 are impacted; 7.5 and FortiSIEM Cloud are not. Fortinet has shipped fixed builds across the supported versions—upgrade now and, as a belt-and-braces move, limit access to port 7900.
How the exploit chains
Researchers describe a two-step: unauthenticated argument injection enables arbitrary file write; then a cron-executed script is overwritten with a reverse shell, yielding root. It’s clever, fast, and exactly the sort of thing an attacker will automate once targets are found.
Why it matters
Your SIEM aggregates sensitive logs and credentials; compromise here undermines detection and response. Patch, restrict network reachability, and watch for suspicious hits to 7900.
Action plan: patch to the fixed release for your train, firewall 7900 to trusted sources only, review for unexpected admin/root activity, and schedule a retest.