Technical details and a public exploit have been published for a critical vulnerability affecting Fortinet’s Security Information and Event Management (SIEM) solution that could be leveraged by a remote, unauthenticated attacker to execute commands or code.
The vulnerability is tracked as CVE-2025-25256, and is a combination of two issues that permit arbitrary write with admin permissions and privilege escalation to root access.
Researchers at penetration testing company Horizon3.ai reported the security issue in mid-August 2025. In early November, Fortinet addressed it in four out of five development branches of the product and announced this week that all vulnerable versions have been patched.
Fortinet describes the CVE-2025-25256 vulnerability as “an improper neutralization of special elements used in an OS command vulnerability in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.”
Horizon3.ai has published a detailed write-up explaining that the root cause of the issue is the exposure of dozens of command handlers on the phMonitor service, which can be invoked remotely without authentication.
The researchers say that this service has been the entry point for multiple FortiSIEM vulnerabilities over several years, like CVE-2023-34992 and CVE-2024-23108, and underline that ransomware groups like Black Basta have previously shown sincere interest in these flaws.
Along with technical details about CVE-2025-25256, the researchers have also published a demonstrative exploit. Since the vendor delivered the fix and published a security advisory, the researchers decided to share the exploit code.
The flaw impacts FortiSIEM versions from 6.7 to 7.5, and fixes were made available to the following releases:
- FortiSIEM 7.4.1 or above
- FortiSIEM 7.3.5 or above
- FortiSIEM 7.2.7 or above
- FortiSIEM 7.1.9 or above
FortiSIEM 7.0 and 6.7.0 are also impacted but are no longer supported, so they won’t receive a fix for CVE-2025-25256.
Fortinet clarified that this flaw does not impact FortiSIEM 7.5 and FortiSIEM Cloud.
The only workaround provided by the vendor for those unable to apply the security update immediately is to limit access to the phMonitor port (7900).
Horizon3.ai has also shared indicators of compromise that can help companies detect compromised systems. Looking at the logs for the messages received by phMonitor (/opt/phoenix/log/phoenix.logs), the line with ‘PHL_ERROR’ should include the URL for the payload and the file it is written to.
It’s budget season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.