CVE-2025-64155: In the Wild Exploitation of FortiSIEM for Unauthenticated Root-Level RCE

On January 13th, 2026, Fortinet publicly disclosed and patched CVE-2025-64155 (CVSS 9.8) affecting FortiSIEM along with five additional vulnerabilities across its product line [1][2][3][4][5]. In particular, CVE-2025-64155 represents high-risk exposure; immediately after its release, active exploitation was reported. The flaw was responsibly disclosed to Fortinet almost six months ago (August 2025), by Horizon3.ai. Greenbone includes a remote banner check for our enterprise customers that can detect the presence of CVE-2025-64155 in a network, as well as three other Fortinet vulnerabilities released in the same patch cycle [6][7][8].

A free two-week trial of OPENVAS BASIC, Greenbone’s entry-level virtual appliance, is available for interested parties to evaluate the OPENVAS ENTERPRISE FEED. Our full product line also includes high-performance physical and virtual appliances for corporate, education, and public sector customers.

CVE-2025-64155 (CVSS 9.8) is a new OS command injection flaw [CWE-78] that allows remote code execution (RCE) with root-level permissions on FortiSIEM endpoints. Unauthenticated arbitrary RCE with root permissions is the most dangerous combination of attributes a CVE could have. The combination allows sophisticated attackers to remotely take full control of an affected device to potentially install rootkit malware. Existing rootkits are known to have advanced evasion capabilities including Endpoint Detection and Response evasion [1][2][3], covert persistence mechanisms, log tampering, firmware manipulation, and secure boot bypass [4][5][6].

Honeypot exploitation has been reported by Defused, but no specific victims have been identified, and CVE-2025-64155 has not been added to CISA’s Known Exploited Vulnerabilities (KEV) database. However, Fortinet CVEs have been listed 23 times on CISA KEV; 13 are associated with ransomware attacks. A full technical description and proof-of-concept (PoC) exploit have been published by Horizon.3.ai, the team that first discovered the flaw. Multiple government CERT agencies have issued alerts globally [7][8][9][10][11][12][13]. Fortinet users should review all recent PSIRT advisories issued by the vendor to evaluate their risk.

A Technical Description of CVE-2025-64155 in FortiSIEM

FortiSIEM devices use the phMonitor service for communication and data sharing over TCP/IP. phMonitor exposes multiple command handlers on TCP port 7900 that operate without authentication via the initEventHandler() function. Handler routing is determined by the parameters passed by the client. 

Exploitation of CVE-2025-64155 has been demonstrated by leveraging an argument injection flaw [CWE-88] in phMonitor to achieve arbitrary file write. An attacker can use this flaw for root-level RCE by overwriting non-root owned files that are executed by the /etc/cron.d/fsm-crontab file, FortiSIEM’s root-owned cron scheduler. Non-root RCE attack chains are also possible, such as writing a bash reverse-shell to the /opt/phoenix/bin/phLicenseTool file which is automatically executed periodically.

When specific parameters are passed to phMonitor, invoking the handleStorageRequest function, the user-controlled <cluster_url> parameter is passed to a shell script named elastic_test_url.sh. The shell script further appends the <cluster_url> parameter to the curl command and executes it. However, because the parameter is not properly sanitized, curl can be abused to trigger local file writes on the target FortiSIEM host. Horizon3.ai researchers have also pointed out that FortiSIEM’s lack of authentication for the phMonitor API has contributed to several maximum severity, exploitable CVEs in the past [1][2].

Mitigating CVE-2025-64155 in FortiSIEM Devices

Users should follow the update guidance provided in Fortinet’s official advisory for CVE-2025-64155. According to Fortinet, the flaw does not affect all node types. Only the Super and Worker nodes are impacted. For customers who cannot complete an update, Fortinet advises restricting access to the phMonitor port 7900. However, blocking access to port 7900 may cause services that depend on it to fail.

While Fortinet’s official hardening guide advises users that FortiSIEM should operate “in a protected network segment”, security researchers are well aware that sensitive services are often exposed to the internet despite the high risk. Even if a FortiSIEM device is not exposed publicly, vulnerable instances could be used for lateral movement and persistence within a target network. This threat applies if attackers already have a foothold, if malicious insiders are present, or if attackers gain unauthorized access to a user’s internal network in the future.

The affected FortiSIEM products and relevant mitigations are:

Affected Product Version	Solution
FortiSIEM Cloud	Not affected
FortiSIEM 7.5	Not affected
FortiSIEM 7.4	Upgrade to 7.4.1 or above
FortiSIEM 7.3	Upgrade to 7.3.5 or above
FortiSIEM 7.2	Upgrade to 7.2.7 or above
FortiSIEM 7.1	Upgrade to 7.1.9 or above
FortiSIEM 7.0	Migrate to fixed release
FortiSIEM 6.7	Migrate to fixed release

Summary

CVE-2025-64155 (CVSS 9.8) is a critical, unauthenticated, root-level remote code execution vulnerability in FortiSIEM that was disclosed and patched by Fortinet on January 13, 2026. Honeypot exploitation activity was observed almost immediately after disclosure, increasing risk for any exposed or reachable FortiSIEM deployments. Defenders should ensure that their FortiSIEM instances are not publicly accessible and that access controls are strictly enforced even on internal network segments.

A free two-week trial of OPENVAS BASIC, Greenbone’s entry-level virtual appliance is available for interested parties to evaluate the industry-leading coverage of the OPENVAS ENTERPRISE FEED. Our full product line-up also includes high-performance physical and virtual appliances for medium and large corporate, education, and public sector customers.