Recent threat intelligence indicates that cyber actors are actively exploiting a critical vulnerability in Fortinet FortiSIEM security monitoring software. This flaw allows unauthenticated remote attackers to execute arbitrary code with root privileges — and with proof-of-concept exploit code publicly available, the risk of successful compromise has significantly increased.

What’s Happening

Security researchers have confirmed that CVE-2025-64155, a critical OS command injection vulnerability in Fortinet’s FortiSIEM product, is being actively abused in real-world attacks. The flaw affects the phMonitor service — a component that processes remote commands — and can be triggered by unauthenticated attackers through crafted TCP requests.

In short, this vulnerability enables:

• Remote code execution without authentication

• Privilege escalation to root access

• Complete takeover of vulnerable FortiSIEM instances

These capabilities provide a powerful foothold for attackers, letting them manipulate logs, disable security monitoring, exfiltrate data, or deploy additional payloads.

Technical Background

CVE-2025-64155 stems from improper neutralization of special elements in OS commands processed by the phMonitor service — technically classified as a CWE-78 OS Command Injection flaw. Because the vulnerable service listens on TCP port 7900 without requiring authentication, threat actors can send specially-crafted requests that are executed as system-level commands.

Security researchers at Horizon3.ai published a technical write-up and proof-of-concept (PoC) exploit, which abuses the flaw to overwrite system scripts — such as /opt/charting/redishb.sh — and achieve root command execution.

Active Threats & Exploitation

Threat intelligence firm Defused reports that the vulnerability is being actively exploited in the wild, including in controlled honeypots designed to detect ongoing attacks. This escalation indicates that actors are already weaponizing the PoC code rather than merely scanning for vulnerable systems.

Indicators of compromise (IOCs) shared by Horizon3.ai point defenders toward unusual entries in the phMonitor message logs — especially PHL_ERROR entries that reference malicious payload URLs.

Affected Versions & Mitigations

The vulnerability impacts multiple Fortinet FortiSIEM releases. Administrators should take the steps below to reduce exposure:

Organizations running versions below these patched releases should migrate to fixed versions as soon as possible.

For environments where immediate patching isn’t feasible, Fortinet suggests a temporary mitigation: restrict access to the phMonitor service port (7900) using network controls or access lists to limit exposure.

Recommendations for Security Teams

To defend against exploitation of this severe vulnerability, security teams should:

• Apply security updates immediately to reach one of the patched FortiSIEM releases.

• Harden network access to FortiSIEM, especially limiting public or untrusted traffic to management and monitoring ports.

• Review phMonitor logs for signs of malicious requests or unusual PHL_ERROR entries.

• Scan for possible compromise using IOCs provided by threat intelligence sources.

• Segment critical infrastructure to minimize lateral movement in case of breach.

Conclusion

The exploitation of Fortinet FortiSIEM’s critical CVE-2025-64155 flaw demonstrates how quickly powerful vulnerabilities — especially those with publicly released PoC code — can be weaponized against enterprises and SOC environments. Prompt patching, proactive logging review, and network access restrictions are essential to reduce the risk of compromise.

If you use Fortinet FortiSIEM in your infrastructure, treat this vulnerability with the same urgency as an active zero-day threat — because attackers already are.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.