On January 13, 2025, Fortinet? fixes for a critical-severity FortiSIEM vulnerability (CVE-2025-64155) that stems from improper neutralization of special elements used in OS commands within the phMonitor service (TCP/7900). An unauthenticated, remote threat actor can exploit this vulnerability via crafted TCP requests to execute unauthorized code or commands on affected systems.?
Horizon3, who had responsibly?disclosed?this vulnerability to Fortinet,? that CVE-2025-64155 can be weaponized to achieve full system takeover through command injection of tools such as curl, allowing an unauthenticated threat actor to write a reverse-shell payload to a file typically only writable by an admin user. This enables privilege escalation from admin to root.?
At the time of writing, Arctic Wolf has not observed exploitation of this vulnerability in the wild. However, the release of public technical details and a proof-of-concept (PoC) exploit lowers the barrier to exploitation, which may lead threat actors to weaponize this vulnerability in the future.?
Recommendation for CVE-2025-64155
Upgrade?To Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.?
| Product? | Affected Version? | Fixed Version? |
| FortiSIEM?Cloud? | Not affected? | Not?applicable? |
| FortiSIEM?7.5? | Not affected? | Not?applicable? |
| FortiSIEM?7.4? | 7.4.0? | Upgrade to 7.4.1 or above? |
| FortiSIEM?7.3? | 7.3.0 through 7.3.4? | Upgrade to 7.3.5 or above? |
| FortiSIEM?7.2? | 7.2.0 through 7.2.6? | Upgrade to 7.2.7 or above? |
| FortiSIEM?7.1? | 7.1.0 through 7.1.8? | Upgrade to 7.1.9 or above? |
| FortiSIEM?7.0? | 7.0.0 through 7.0.4? | Migrate to a fixed release? |
| FortiSIEM?6.7? | 6.7.0 through 6.7.10? | Migrate to a fixed release? |
Note:?CVE-2025-64155 does not?impact?Collector nodes, only Super and Worker nodes.?
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.?
Isolate?FortiSIEM?Instances?From?the Internet
According to?, FortiSIEM should be placed in an isolated network segment behind a firewall, and not exposed on the public internet. By keeping this service isolated from the internet, the attack surface is reduced and threat actors are prevented from gaining initial access through critical vulnerabilities such as CVE-2025-64155.?
Workaround (Optional)?
For users unable to?immediately?apply the patch, Fortinet recommends restricting network access to?FortiSIEM¡¯s?phMonitor?service (TCP/7900).?
References?
?
