Fortinet has released security updates to fix a critical vulnerability in FortiSIEM that could allow an attacker to execute code remotely without authentication. The flaw is tracked as CVE-2025-64155 and has a CVSS score of 9.4, indicating a very high risk.

According to Fortinet, the issue is an OS command injection vulnerability. An attacker can send specially crafted TCP requests to vulnerable FortiSIEM systems and run unauthorized commands. This vulnerability only affects Super and Worker nodes in on-premise deployments.

The flaw exists in the phMonitor service, a core FortiSIEM component that handles system monitoring and internal communication over TCP port 7900. Due to improper input handling, this service can be abused to write arbitrary files to disk. In a worst-case scenario, attackers can escalate privileges from admin to root, resulting in full takeover of the appliance.

Security researchers from Horizon3.ai confirmed that the vulnerability can be chained into a complete compromise. A proof-of-concept (PoC) exploit has already been released, significantly increasing the risk. In addition, real-world exploitation attempts have been observed targeting exposed systems.

Fortinet has fixed the issue in newer versions and strongly urges administrators to upgrade immediately. As a temporary mitigation, access to port 7900 should be restricted to trusted systems only.

In a related update, Fortinet also patched a critical FortiFone vulnerability (CVE-2025-47855) that could allow attackers to access device configuration without authentication.

With active exploitation already detected, organizations using FortiSIEM are advised to apply patches as soon as possible and review network exposure to reduce the risk of attack.

Source: https://thehackernews.com/2026/01/fortinet-fixes-critical-fortisiem-flaw.html