On August 12, 2025, Fortinet released fixes for a critical-severity vulnerability in FortiSIEM, tracked as CVE-2025-25256. The flaw arises from improper neutralization of special elements used in an OS command within the phMonitor service (TCP/7900). Successful exploitation could allow a remote, unauthenticated threat actor to execute unauthorized code or commands via crafted CLI requests.
Fortinet has stated that a proof-of-concept exploit for CVE-2025-25256 exists in the wild. However, at the time of writing, Arctic Wolf has not observed exploitation of this vulnerability. Given that a PoC is publicly available—lowering the barrier to exploitation and increasing the potential level of access a threat actor could obtain—threat actors are likely to target this vulnerability in the future.
Recommendation For CVE-2025-25256
Upgrade FortiSIEM to Fixed Version
Arctic Wolf strongly recommends upgrading to the latest fixed versions of FortiSIEM.
| Product | Affected Version | Fixed Version |
| FortiSIEM 7.4 | Not affected | Not Applicable |
| FortiSIEM 7.3 | 7.3.0 through 7.3.1 | Upgrade to 7.3.2 or above |
| FortiSIEM 7.2 | 7.2.0 through 7.2.5 | Upgrade to 7.2.6 or above |
| FortiSIEM 7.1 | 7.1.0 through 7.1.7 | Upgrade to 7.1.8 or above |
| FortiSIEM 7.0 | 7.0.0 through 7.0.3 | Upgrade to 7.0.4 or above |
| FortiSIEM 6.7 | 6.7.0 through 6.7.9 | Upgrade to 6.7.10 or above |
| FortiSIEM 6.6 | 6.6 all versions | Migrate to a fixed release |
| FortiSIEM 6.5 | 6.5 all versions | Migrate to a fixed release |
| FortiSIEM 6.4 | 6.4 all versions | Migrate to a fixed release |
| FortiSIEM 6.3 | 6.3 all versions | Migrate to a fixed release |
| FortiSIEM 6.2 | 6.2 all versions | Migrate to a fixed release |
| FortiSIEM 6.1 | 6.1 all versions | Migrate to a fixed release |
| FortiSIEM 5.4 | 5.4 all versions | Migrate to a fixed release |
Please follow your organizations patching and testing guidelines to avoid operational impact.
Workaround (Optional)
For users unable to patch, Fortinet recommends restricting network access to FortiSIEM’s phMonitor service (TCP port 7900).
References
Resources
Understand the threat landscape, and how to better defend your organization, with the 2025 Arctic Wolf Threat Report.
See how Arctic Wolf utilizes threat intelligence to harden your attack surface and stop threats earlier and faster.
