FortiSIEM CVE-2025-25256 (CVSS 9.8): Remote Unauthenticated Command Injection with Exploit in the Wild

Fortinet has issued an urgent security advisory for a critical remote unauthenticated command injection vulnerability affecting multiple versions of FortiSIEM, a leading Security Information and Event Management (SIEM) platform. Tracked as CVE-2025-25256 and carrying a CVSS score of 9.8, the flaw could allow attackers to execute arbitrary code or system commands without authentication.

The issue stems from improper neutralization of special elements used in OS commands (CWE-78), making it possible for a remote attacker to exploit the platform via crafted CLI requests to execute unauthorized commands. Alarmingly, practical exploit code has already been observed in the wild, elevating the urgency of mitigation.

The vulnerability impacts a wide range of FortiSIEM releases:

• FortiSIEM 7.3: Versions 7.3.0 – 7.3.1 (fixed in 7.3.2)
• FortiSIEM 7.2: Versions 7.2.0 – 7.2.5 (fixed in 7.2.6)
• FortiSIEM 7.1: Versions 7.1.0 – 7.1.7 (fixed in 7.1.8)
• FortiSIEM 7.0: Versions 7.0.0 – 7.0.3 (fixed in 7.0.4)
• FortiSIEM 6.7: Versions 6.7.0 – 6.7.9 (fixed in 6.7.10)
• All versions of 6.6, 6.5, 6.4, 6.3, 6.2, 6.1, and 5.4 require migration to a patched release

Fortinet strongly advises upgrading to the fixed versions listed in the advisory. For organizations unable to upgrade immediately, the following interim workaround is recommended:

• Restrict access to the phMonitor port (7900) to trusted IPs or internal network segments only.

Given that working exploit code is publicly available, unpatched FortiSIEM instances are at severe risk. Successful exploitation could give an attacker full remote control over the affected system, enabling:

• Data theft or exfiltration of security logs and incident reports
• Disabling of security monitoring and alerting capabilities
• Lateral movement into other networked systems

Related Posts:

• CVE-2024-23108 & CVE-2024-23109 (CVSS 10): Critical Command Injection Flaws in Fortinet FortiSIEM
• FortiSIEM Vulnerability Exposes Systems to Remote Code Execution
• Unauthenticated RCE Flaw in Fortinet FortiSIEM: Researchers Publishes PoC for CVE-2023-34992
• Critical Vulnerabilities in FortiSIEM and FortiWLM

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy