Fortinet has issued a critical security alert for a severe vulnerability in its FortiSIEM platform, designated as CVE-2025-25256, which has an extremely high CVSS score of 9.8 out of 10. The company has confirmed that exploit code for this vulnerability is already being used in active attacks.
Vulnerability Details
This is an OS Command Injection vulnerability (CWE-78) that allows unauthenticated attackers to execute unauthorized code or commands through specially crafted CLI requests. The flaw involves improper neutralization of special elements used in OS commands, making it particularly dangerous as it requires no authentication to exploit.
Affected Versions and Remediation
The vulnerability impacts multiple FortiSIEM versions with specific upgrade paths:
- FortiSIEM 6.1, 6.2, 6.3, 6.4, 6.5, 6.6: Migration to a fixed release required
- FortiSIEM 6.7.0 through 6.7.9: Upgrade to 6.7.10 or above
- FortiSIEM 7.0.0 through 7.0.3: Upgrade to 7.0.4 or above
- FortiSIEM 7.1.0 through 7.1.7: Upgrade to 7.1.8 or above
- FortiSIEM 7.2.0 through 7.2.5: Upgrade to 7.2.6 or above
- FortiSIEM 7.3.0 through 7.3.1: Upgrade to 7.3.2 or above
- FortiSIEM 7.4: Not affected
In-the-Wild Exploitation
Fortinet has acknowledged that “practical exploit code for this vulnerability was found in the wild”. However, the company has not disclosed specific details about the nature of the exploit or where it was discovered. Additionally, the exploitation code reportedly does not produce distinctive indicators of compromise (IoCs), making detection more challenging.
Immediate Workaround
As a temporary mitigation measure, Fortinet recommends that organizations limit access to the phMonitor port (7900) while working to implement the necessary upgrades.
