CVE-2025-25256: PoC Available for FortiSIEM Remote Unauthenticated Command Injection Vulnerability

On 12 August 2025, Fortinet released fixes for a critical-severity vulnerability in FortiSIEM, tracked as CVE-2025-25256.

On 12 August 2025, Fortinet released fixes for a critical-severity vulnerability in FortiSIEM, tracked as CVE-2025-25256. The flaw arises from improper neutralisation of special elements used in an OS command within the phMonitor service (TCP/7900). Successful exploitation could allow a remote, unauthenticated threat actor to execute unauthorised code or commands via crafted CLI requests.?

Fortinet has stated that a proof-of-concept exploit for CVE-2025-25256 exists in the wild. However, at the time of writing, Arctic Wolf has not observed exploitation of this vulnerability. Given that a PoC is publicly available��lowering the barrier to exploitation and increasing the potential level of access a threat actor could obtain��threat actors are likely to target this vulnerability in the future.?

Recommendation For?CVE-2025-25256

Upgrade FortiSIEM to Fixed Version

Arctic Wolf strongly recommends upgrading to the latest fixed versions of FortiSIEM.?

Product?	Affected Version?	Fixed Version?
FortiSIEM 7.4?	Not affected?	Not Applicable?
FortiSIEM 7.3?	7.3.0 through 7.3.1?	Upgrade to 7.3.2 or above?
FortiSIEM 7.2?	7.2.0 through 7.2.5?	Upgrade to 7.2.6 or above?
FortiSIEM 7.1?	7.1.0 through 7.1.7?	Upgrade to 7.1.8 or above?
FortiSIEM 7.0?	7.0.0 through 7.0.3?	Upgrade to 7.0.4 or above?
FortiSIEM 6.7?	6.7.0 through 6.7.9?	Upgrade to 6.7.10 or above?
FortiSIEM 6.6?	6.6 all versions?	Migrate to a fixed release?
FortiSIEM 6.5?	6.5 all versions?	Migrate to a fixed release?
FortiSIEM 6.4?	6.4 all versions?	Migrate to a fixed release?
FortiSIEM 6.3?	6.3 all versions?	Migrate to a fixed release?
FortiSIEM 6.2?	6.2 all versions?	Migrate to a fixed release?
FortiSIEM 6.1?	6.1 all versions?	Migrate to a fixed release?
FortiSIEM 5.4?	5.4 all versions?	Migrate to a fixed release?

Please follow your organisations patching and testing guidelines to avoid operational impact.?

Workaround (Optional)?

For users unable to patch, Fortinet recommends restricting network access to FortiSIEM��s phMonitor service (TCP port 7900).?

References?

Resources

Understand the threat landscape, and how to better defend your organisation, with the 2025 Arctic Wolf Threat Report.

See how?Arctic Wolf utilises threat intelligence to harden your attack surface and stop threats earlier and faster.

? 2026 ��. All Rights Reserved.
Privacy Notice	Terms of Use	Cookie Policy	Customer Portal Policy	Accessibility Statement	Sustainability Statement	Information Security	Cookies Settings

������

Concierge

Journey

Reduce Attack Frequency

Reduce Attack Severity

Transfer Risk

Get Started

Why Arctic Wolf

Expertise by Topic

Expertise by Industry

Resource Centre

Trending Resources

NIS2 aims to make the EU as a whole more resilient to cyber threats and strengthen cooperation between Member States on cybersecurity.

The Arctic Wolf State of Cybersecurity: 2025 Trends Report serves as an opportunity for decision makers to share their experiences over the past 12 months and their perspectives on some of the most important issues shaping the IT and security landscape.

The Arctic Wolf Threat Report draws upon the first-hand experience of our security experts, augmented by research from our threat intelligence team.

Security Bulletins

Microsoft Patch Tuesday: April 2026?

CVE-2026-35616: Fortinet Releases Hotfix for Critical Exploited Vulnerability in FortiClient EMS

CVE-2026-2699 & CVE-2026-2701: Progress ShareFile Storage Zones Controller Pre-Auth RCE Chain

Company

Careers

Press