Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security

Fortinet warns about FortiSIEM vulnerability with in-the-wild exploit code (CVE-2025-25256)

Fortinet has released patches for a critical OS command injection vulnerability (CVE-2025-25256) in FortiSIEM, after practical exploit code surfaced in the wild.

FortiSIEM CVE-2025-25256 exploit

About CVE-2025-25256

FortiSIEM is a security information and event management platform used by organizations to collect, correlate and analyze logs, events, and alerts from across an organization’s IT and security infrastructure, to help detect threats and investigate incidents.

CVE-2025-25256 is caused by improper neutralization of special elements and may allow unauthenticated attackers to execute unauthorized code or commands on vulnerable devices via specially crafted command-line interface (CLI) requests. No user interaction is required to exploit the vulnerability.

The vulnerability affects FortiSIEM versions:

  • 7.3.0 through 7.3.1
  • 7.2.0 through 7.2.5
  • 7.1.0 through 7.1.7
  • 7.0.0 through 7.0.3
  • 6.7.0 through 6.7.9

Older branches – FortiSIEM 6.6, 6.5, 6.4, 6.3, 6.2, 6.1, and 5.4 – are also affected.

Admins are advised to upgrade to one of the following versions that include a fix:

  • FortiSIEM 7.4 (released in late July 2025)
  • FortiSIEM 7.3.2 or above
  • FortiSIEM 7.2.6 or above
  • FortiSIEM 7.1.8 or above
  • FortiSIEM 7.0.4 or above
  • FortiSIEM 6.7.10 or above

If a quick upgrade is impossible, Fortinet advises limiting access to the phMonitor port (TCP port 7900) only to trusted internal hosts/IPs. The port hosts the phMonitor service, which is used by internal FortiSIEM components to communicate and perform discovery and synchronization task.

Should you worry about the exploit code?

Fortinet did not share details about where the exploit code has been found or speculate about the possibility of it having been leveraged by attackers.

A little over a year ago, Horizon3.ai researches released PoC exploits for CVE-2023-34992 and its patch bypass CVE-2024-23108, which also relied on sending specially crafted messages to FortiSIEM’s phMonitor service on tcp/7900. Despite the PoCs’ availability, there have not been confirmed instances of them having been leveraged by attackers in the wild.

Unfortunately for defenders, the exploit code for CVE-2025-25256 “does not appear to produce distinctive [indicators of compromise]”, so it may be difficult to pinpoint intrusions made via this vulnerability.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

More about

Featured news

Resources

Don't miss