Public Exploit Code Accelerates Attacks Against Fortinet SIEM Deployments
A critical vulnerability affecting Fortinet FortiSIEM is now being actively exploited in the wild, according to multiple security researchers. The flaw, tracked as CVE-2025-64155, has publicly available proof-of-concept (PoC) exploit code and allows unauthenticated remote attackers to execute commands with root-level privileges.
The issue was disclosed by Zach Hanley of Horizon3.ai, who identified the vulnerability as a combination of flaws that enable arbitrary file writes with administrative permissions, ultimately leading to full system compromise.
Fortinet released security updates earlier this week, but threat intelligence firm Defused has since confirmed that attackers are already using the vulnerability in targeted exploits.
Technical Breakdown of CVE-2025-64155
According to Fortinet’s advisory, CVE-2025-64155 stems from an OS command injection vulnerability (CWE-78) within FortiSIEM’s phMonitor service. Improper neutralization of special elements allows attackers to execute unauthorized commands via crafted TCP requests, without authentication.
Horizon3.ai’s technical analysis showed that dozens of command handlers exposed through the phMonitor service can be remotely invoked. By exploiting an argument injection flaw, attackers can overwrite the /opt/charting/redishb.sh file, achieving arbitrary code execution as root.
Successful exploitation gives attackers full control over the FortiSIEM appliance, an especially concerning scenario given SIEM systems’ privileged access and visibility across enterprise environments.
Affected Versions and Patch Guidance
The vulnerability affects FortiSIEM versions 6.7 through 7.5. Fortinet advises customers to upgrade to one of the following fixed releases:
- FortiSIEM 7.4.1 or later
- FortiSIEM 7.3.5 or later
- FortiSIEM 7.2.7 or later
- FortiSIEM 7.1.9 or later
Organizations running FortiSIEM 7.0.0–7.0.4 or 6.7.0–6.7.10 are advised to migrate to a supported, patched version. For environments unable to immediately apply updates, Fortinet has published a temporary workaround: restrict access to the phMonitor port (TCP 7900) to trusted sources only.
Active Exploitation Confirmed
Two days after patches were released, Defused reported seeing active, targeted exploitation of CVE-2025-64155 in its honeypots. Horizon3.ai has also published indicators of compromise (IOCs) to help organizations identify affected systems. Administrators are advised to review phMonitor logs located at:
/opt/phoenix/log/phoenix.logs
Evidence of exploitation may include suspicious payload URLs appearing in log entries containing PHL_ERROR. As of publication, Fortinet has not yet updated its advisory to formally flag the vulnerability as exploited in the wild.
Fortinet products have previously been targeted quickly after disclosure. In November 2025, Fortinet warned of active exploitation of a FortiWeb zero-day (CVE-2025-58034). Then, one week later, a second FortiWeb zero-day (CVE-2025-64446) was confirmed as silently patched after widespread abuse.
While earlier that year, in February 2025, the Chinese state-linked Volt Typhoon group exploited FortiOS vulnerabilities to deploy the Coathanger RAT within the Dutch Ministry of Defence network.
What Organizations Should Do Now
Organizations running FortiSIEM should treat CVE-2025-64155 as a high-priority exposure. With confirmed exploitation and publicly available exploit code, teams should assume exposed systems are at risk until patches or mitigations are fully applied and logs have been reviewed for signs of compromise.
More broadly, this reinforces the reality that exploitation follows disclosure almost immediately. Waiting for advisories to be updated or treating remediation as a periodic exercise leaves critical infrastructure exposed during the most dangerous window.
Effectively managing exposures requires continuous visibility into what is reachable, validation of what is actually exploitable, and the ability to mobilize remediation quickly and consistently. Organizations that operationalize these capabilities are far better positioned to contain vulnerabilities like CVE-2025-64155 before they escalate into full-scale incidents.
