Threat Advisories

Critical security flaw found in multiple versions of Fortinet FortiSIEM (CVE-2025-25256)

Written by Integrity360 | Aug 14, 2025 9:07:30 AM

A newly disclosed critical security flaw (CVE-2025-25256) has been identified in multiple versions of Fortinet FortiSIEM. Due to the availability of a public Proof of Concept (PoC), the risk of exploitation is significantly heightened, making immediate attention and remediation imperative. 

Overview 

  • Vulnerability ID: CVE-2025-25256 
  • Description: A remote, unauthenticated OS command injection vulnerability (CWE78) exists in FortiSIEM. It allows an attacker to execute unauthorized system commands via specially crafted CLI requests. 
  • CVSS v3.1 Score: 9.8 (Critical)  
  • Affected Product: Fortinet FortiSIEM (multiple versions) 
  • Vulnerability Type: OS Command Injection (improper neutralization of special elements; CWE-78)  
  • Exploit Status: Proof-of-Concept (PoC) code is known to exist in the wild. No clear indicators of compromise (IoCs) are typically produced during exploitation. 
    POC has been released on Github and is sold for $350 Github - POC 

Affected Versions 

FortiSIEM versions impacted include: 

  • 7.3.0 – 7.3.1 (Upgrade to 7.3.2 or above) 
  • 7.2.0 – 7.2.5 (Upgrade to 7.2.6 or above) 
  • 7.1.0 – 7.1.7 (Upgrade to 7.1.8 or above) 
  • 7.0.0 – 7.0.3 (Upgrade to 7.0.4 or above) 
  • 6.7.0 – 6.7.9 (Upgrade to 6.7.10 or above) 
  • All versions of 6.6, 6.5, 6.4, 6.3, 6.2, 6.1, and 5.4 are also affected; upgrade to any fixed release available 

Impact 

This vulnerability arises from inadequate sanitization of user input in FortiSIEM's command-line interface (CLI). A remote, unauthenticated attacker can exploit this flaw to execute arbitrary OS-level commands on vulnerable systems, potentially compromising system integrity, confidentiality, and availability.  

 

Monitoring & Detection 

  • Monitor logs for anomalous CLI activity or unusual commands executed via phMonitor. 
  • Watch for behavioural signs of compromise, despite no distinct IoCs, elevated system notifications or performance anomalies may signal compromise. 
  • Consider increased endpoint and network visibility until patches can be deployed. 

Recommended Actions 

  1. Upgrade FortiSIEM Immediately
    Please apply the latest patched versions:
  • 7.4 (Not affected) 
  • 7.3.2+, 7.2.6+, 7.1.8+, 7.0.4+, or 6.7.10+ 
  1. Implement a Temporary Workaround if Immediate Upgrade Is Not Possible
    Restrict access to the phMonitor service (TCP port 7900) to trusted internal hosts only.

 
References : 

Fortinet Vendor Advisory (FG-IR-25-152) FortiGuardNVD 

The Hacker News coverage The Hacker News 

Help Net Security analysis Help Net Security 

CERT-EU Advisory (2025-031) cert.europa.eu 

Tenable technical details and PoC analysis Tenable®Tenable® 

 

 If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

 

 

 
View full post