Critical FortiSIEM Vulnerability Lets Attackers Run Arbitrary Commands via TCP Packets

Fortinet disclosed a critical OS command injection vulnerability in FortiSIEM on January 13, 2026, warning users of a high-risk flaw that lets unauthenticated attackers execute arbitrary code.

Tracked as CVE-2025-64155, the issue stems from improper neutralization of special elements in OS commands (CWE-78) within the phMonitor component on port 7900. Attackers can craft malicious TCP requests to Super and Worker nodes, potentially resulting in full-system compromise.

With a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is rated Critical due to its network accessibility, low complexity, and lack of required privileges.

No user interaction is required, and exploitation could result in remote code execution, data theft, or persistence in environments that rely on FortiSIEM for security information and event management.

Affected Versions and Fixes

This flaw affects multiple FortiSIEM branches but leaves Collector nodes unaffected. Fortinet urges immediate upgrades or migrations, with a workaround of restricting access to TCP port 7900 via firewalls.

Organizations running vulnerable versions in production face elevated risks, especially in hybrid or on-premises SIEM deployments.

Security researcher Zach Hanley (@hacks_zach) of Horizon3.ai responsibly reported the bug under Fortinet’s program. The advisory (FG-IR-25-772) appeared on Fortinet’s PSIRT page, with NVD details pending full analysis. No evidence of active exploitation has surfaced yet, but the unauthenticated nature demands urgency.

Fortinet recommends auditing logs for anomalous TCP/7900 traffic and applying patches promptly. This incident underscores the need for least-privilege network segmentation in SIEM architectures.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.