On 13 January 2025, Fortinet released fixes for a critical-severity FortiSIEM vulnerability (CVE-2025-64155) that stems from improper neutralization of special elements used in OS commands within the phMonitor service (TCP/7900). An unauthenticated, remote threat actor can exploit this vulnerability via crafted TCP requests to execute unauthorized code or commands on affected systems.
Horizon3, who had responsibly disclosed this vulnerability to Fortinet, demonstrated that CVE-2025-64155 can be weaponized to achieve full system takeover through command injection of tools such as curl, allowing an unauthenticated threat actor to write a reverse-shell payload to a file typically only writable by an admin user. This enables privilege escalation from admin to root.
At the time of writing, Arctic Wolf has not observed exploitation of this vulnerability in the wild. However, the release of public technical details and a proof-of-concept (PoC) exploit lowers the barrier to exploitation, which may lead threat actors to weaponize this vulnerability in the future.
Recommendation for CVE-2025-64155
Upgrade To Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| FortiSIEM Cloud | Not affected | Not applicable |
| FortiSIEM 7.5 | Not affected | Not applicable |
| FortiSIEM 7.4 | 7.4.0 | Upgrade to 7.4.1 or above |
| FortiSIEM 7.3 | 7.3.0 through 7.3.4 | Upgrade to 7.3.5 or above |
| FortiSIEM 7.2 | 7.2.0 through 7.2.6 | Upgrade to 7.2.7 or above |
| FortiSIEM 7.1 | 7.1.0 through 7.1.8 | Upgrade to 7.1.9 or above |
| FortiSIEM 7.0 | 7.0.0 through 7.0.4 | Migrate to a fixed release |
| FortiSIEM 6.7 | 6.7.0 through 6.7.10 | Migrate to a fixed release |
Note: CVE-2025-64155 does not impact Collector nodes, only Super and Worker nodes.
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
Isolate FortiSIEM Instances From the Internet
According to Fortinet’s documentation, FortiSIEM should be placed in an isolated network segment behind a firewall, and not exposed on the public internet. By keeping this service isolated from the internet, the attack surface is reduced and threat actors are prevented from gaining initial access through critical vulnerabilities such as CVE-2025-64155.
Workaround (Optional)
For users unable to immediately apply the patch, Fortinet recommends restricting network access to FortiSIEM’s phMonitor service (TCP/7900).
References
