Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security

PoC exploit for critical FortiSIEM vulnerability released (CVE-2025-64155)

A critical vulnerability (CVE-2025-64155) in Fortinet’s FortiSIEM security platform has now been accompanied by publicly released proof-of-concept (PoC) exploit code, raising the urgency for organizations to patch immediately.

About CVE-2025-64155

CVE-2025-64155 may allow unauthenticated, remote attackers to execute unauthorized code or commands on vulnerable FortiSIEM deployments via specially crafted TCP requests.

“This flaw targets the phMonitor service, the ‘nervous system’ of the SIEM, allowing attackers to write arbitrary code into a file executed as the root user, gaining unauthenticated code execution,” Scott Caveza, senior staff research engineer at Tenable, told Help Net Security.

“In effect, it turns a company’s defensive headquarters into a silent staging ground for lateral movement.”

Discovered and privately reported by Horizon3.ai researcher Zach Hanley, CVE-2025-64155 has been fixed in all affected supported versions of FortiSIEM and its existence publicly revealed by Fortinet earlier this week.

Customers using vulnerable FortiSIEM versions have been advised to upgrade to v7.4.1 or above, 7.3.5 or above, 7.2.7 or above, or 7.1.9 or above. Those still running FortiSIEM 7.0.x or 6.7.x versions have been advised to migrate to one of the fixed releases.

If upgrading to a fixed version is impossible, admins should limit access to the phMonitor port (7900).

CVE-2025-64155 does not affect FortiSIEM Cloud or FortiSIEM 7.5. It also doesn’t affect all nodes in a FortiSIEM deployment: Supervisor and Worker nodes are affected, but Collector nodes (used for log ingestion) aren’t.

Indicators of compromise to look for

Hanley unearthed CVE-2025-64155 while assessing a previously fixed FortiSIEM flaw (CVE-2025-25256) with practical exploit code spotted in the wild.

Fortinet never said whether they detected this exploit being used by attackers, possibly because exploitation of CVE-2025-25256 does not appear to produce distinctive indicators of compromise.

A successful exploitation of CVE-2025-64155, though, will leave traces.

According to Horizon3.ai researchers, defenders can check logs for suspicious messages received by phMonitor: messages with PHL_ERROR entries and containing attacker-supplied URLs and file paths where the malicious payload is written.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

More about

Featured news

Resources

Don't miss