CVE ID: CVE-2025-25256
CVSS v3.1: 9.8 Critical (Remote unauthenticated OS command injection)
Publish Date: August 12 2025
TL;DR
Fortinet FortiSIEM has a critical OS command injection vulnerability. An unauthenticated attacker can send specially crafted CLI requests to execute arbitrary commands on affected systems. There is confirmed proof of exploitation in the wild. Immediate patching is strongly recommended.
Affected Versions
- FortiSIEM 7.3.0 through 7.3.1
- FortiSIEM 7.2.0 through 7.2.5
- FortiSIEM 7.1.0 through 7.1.7
- FortiSIEM 7.0.0 through 7.0.3
- Versions prior to 6.7.9 (including 6.6 down to 5.4)
Vulnerability Details
- Type: OS command injection (CWE 78)
- Description: FortiSIEM does not properly neutralize special characters in OS commands. An attacker can send crafted CLI requests that result in execution of arbitrary commands on the underlying system without authentication.
- Impact: Full remote compromise of the SIEM infrastructure, potentially affecting all monitored assets.
Recommended Action
- Upgrade immediately to a patched version:
- FortiSIEM 7.4 or later
- 7.3.2, 7.2.6, 7.1.8, 7.0.4, or 6.7.10 depending on your branch
- Until patched:
- Restrict or disable access to the phMonitor port (7900) from untrusted networks.
- Monitor for abnormal CLI usage or unauthorized access attempts.
Affected Environments
- Any FortiSIEM deployment exposed to untrusted networks or the internet.
- High-risk in enterprise SOC environments where FortiSIEM manages wide-scale security telemetry.
TTP Mapping (MITRE ATT&CK)
- Initial Access / Execution: Command injection via crafted CLI requests (T1059, T1190).
- Impact: Remote system command execution for privilege escalation or persistence.
![IOC Alert: Lumma Stealer C2 Domain Identified – larpfxs[.]top](/content/images/size/w1304/format/webp/2025/08/23985762398576198764252-1.jpg)
