Fortinet Critical Alert: CVE-2025-64155 RCE & Config Leaks Exposed

Fortinet has issued a sweeping set of security advisories, patching critical vulnerabilities across its product ecosystem that could allow attackers to execute arbitrary code, delete files, or hijack device configurations. The most severe threats target FortiSIEM, FortiOS, and FortiFone, with one critical flaw carrying a CVSS score of 9.4, signaling an immediate danger to enterprise networks.

The most dangerous vulnerability in this batch is CVE-2025-64155, a critical OS Command Injection flaw in FortiSIEM. Rated CVSS 9.4, this vulnerability allows an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.

The flaw specifically impacts “Super and Worker nodes,” though Collector nodes are reportedly safe. Administrators are urged to upgrade to versions 7.4.1, 7.3.5, or 7.2.7 immediately. For those who cannot patch right away, a workaround exists: “Limit access to the phMonitor port (7900)” to mitigate the risk. Research published the technical details and a proof-of-concept exploit code for this flaw.

Fortinet’s flagship operating system, FortiOS, along with FortiSwitch Manager, is vulnerable to a heap-based buffer overflow (CVE-2025-25249, CVSS 7.4). This flaw allows a remote unauthenticated attacker to execute arbitrary code via the cw_acd daemon.

This vulnerability affects a wide range of versions, including FortiOS 7.6, 7.4, 7.2, and 7.0, as well as FortiSwitch Manager . Fortinet has provided a specific workaround for this issue: administrators can “remove ‘fabric’ access” from interfaces or use a local-in policy to block access to the CAPWAP daemon on ports 5246-5249.

FortiFone Web Portals are suffering from a critical Information Disclosure vulnerability (CVE-2025-47855, CVSS 9.3). An unauthenticated attacker can exploit this to “obtain the device configuration via crafted HTTP or HTTPS requests”.

This is a massive security lapse, as device configurations often contain sensitive network data. Affected versions include FortiFone 7.0 and 3.0, with upgrades available to 7.0.2 and 3.0.24 respectively.

The advisory list is rounded out by three other significant vulnerabilities:

• FortiVoice (CVE-2025-58693): A path traversal flaw allows privileged attackers to “delete files from the underlying filesystem”.
• FortiClientEMS (CVE-2025-59922): An SQL Injection vulnerability allows authenticated admins to execute unauthorized SQL commands.
• FortiSandbox (CVE-2025-67685): A Server-Side Request Forgery (SSRF) flaw allows authenticated attackers to proxy internal requests.

Fortinet has released fixed versions for all affected products. Administrators are strongly advised to consult the official upgrade path tool and apply these security updates immediately to prevent exploitation.

Related Posts:

• FortiSIEM CVE-2025-25256 (CVSS 9.8): Remote Unauthenticated Command Injection with Exploit in the Wild
• FortiSIEM Vulnerability Exposes Systems to Remote Code Execution
• Cybersecurity Alert: CISA Adds Fortinet and GitHub Action Vulnerabilities to Exploited List
• CVE-2024-23108 & CVE-2024-23109 (CVSS 10): Critical Command Injection Flaws in Fortinet FortiSIEM
• Unauthenticated RCE Flaw in Fortinet FortiSIEM: Researchers Publishes PoC for CVE-2023-34992