{"id":9919,"date":"2026-01-16T10:03:56","date_gmt":"2026-01-16T10:03:56","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/16\/fortinet-fortisiem-vulnerability-cve-2025-64155-actively-exploited-in-attacks\/"},"modified":"2026-01-16T10:03:56","modified_gmt":"2026-01-16T10:03:56","slug":"fortinet-fortisiem-vulnerability-cve-2025-64155-actively-exploited-in-attacks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/16\/fortinet-fortisiem-vulnerability-cve-2025-64155-actively-exploited-in-attacks\/","title":{"rendered":"Fortinet FortiSIEM Vulnerability CVE-2025-64155 Actively Exploited in Attacks"},"content":{"rendered":"

Fortinet FortiSIEM Vulnerability CVE-2025-64155 Actively Exploited in Attacks
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Fortinet FortiSIEM vulnerability CVE-2025-64155<\/a> is under active exploitation, as confirmed by Defused through their honeypot deployments.<\/p>\n

This critical OS command injection flaw enables unauthenticated remote code execution, posing severe risks to enterprise security monitoring systems.<\/p>\n

CVE-2025-64155<\/a> stems from improper neutralization of special elements in OS commands within the FortiSIEM phMonitor service, which handles internal data exchange across Super and Worker nodes.<\/p>\n

Attackers send crafted TCP requests to port 7900, targeting storage configuration endpoints with an elastic type set, injecting arguments into a curl command via XML payloads for arbitrary file writes as the admin user.<\/p>\n

A chained privilege escalation allows root access by overwriting executed binaries.<\/p>\n

Proof-of-concept code is public on GitHub<\/a>, demonstrating full RCE chains. Fortinet\u2019s advisory confirms no impact on Cloud or Collector nodes.<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n\n
Product Version<\/th>\nAffected Range<\/th>\nFixed Version fortiguard+1\u200b<\/th>\n<\/tr>\n<\/thead>\n
FortiSIEM 6.7<\/td>\n6.7.0 through 6.7.10<\/td>\nMigrate to a fixed release<\/td>\n<\/tr>\n
FortiSIEM 7.0<\/td>\n7.0.0 through 7.0.4<\/td>\nMigrate to a fixed release<\/td>\n<\/tr>\n
FortiSIEM 7.1<\/td>\n7.1.0 through 7.1.8<\/td>\n7.1.9 or above<\/td>\n<\/tr>\n
FortiSIEM 7.2<\/td>\n7.2.0 through 7.2.6<\/td>\n7.2.7 or above<\/td>\n<\/tr>\n
FortiSIEM 7.3<\/td>\n7.3.0 through 7.3.4<\/td>\n7.3.5 or above<\/td>\n<\/tr>\n
FortiSIEM 7.4<\/td>\n7.4.0<\/td>\n7.4.1 or above<\/td>\n<\/tr>\n
FortiSIEM 7.5<\/td>\nNot affected<\/td>\nN\/A<\/td>\n<\/tr>\n
FortiSIEM Cloud<\/td>\nNot affected<\/td>\nN\/A<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Defused detected<\/a> targeted attacks hitting honeypots shortly after patch release, with payloads embedding second-stage infrastructure in injection strings.<\/p>\n

Exploit attempts log in \/opt\/phoenix\/log\/phoenix.log as PHL_ERROR entries showing attacker URLs and file paths. The flaw\u2019s unauthenticated nature and SIEM exposure amplify risks, enabling log tampering, data exfiltration, or lateral movement.<\/p>\n

\n
\"Active
Active Exploitation (Source: Defused)<\/figcaption><\/figure>\n<\/div>\n

Recent indicators of compromise from Defused scans include:<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n
IP Address<\/th>\nASN\/Organization <\/th>\n<\/tr>\n<\/thead>\n
167.17.179[.]109<\/td>\nBaxet Group Inc.<\/td>\n<\/tr>\n
103.224.84[.]76<\/td>\nSiamdata Communication<\/td>\n<\/tr>\n
209.126.11[.]25<\/td>\nContabo<\/td>\n<\/tr>\n
120.231.127[.]227<\/td>\nChina Mobile Communications Group<\/td>\n<\/tr>\n
129.226.190[.]169<\/td>\nTencent<\/td>\n<\/tr>\n
220.181.41[.]80<\/td>\nIDC, China Telecommunications Corporation<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Sample payloads mimic elastic storage configs, like XML with cluster names (\u201ctest-cluster\u201d), replica counts (4), and elasticsearch service tests, injecting via shard number or URI params. No CISA KEV listing yet, but 23 prior Fortinet flaws are actively exploited.<\/p>\n

Organizations must upgrade Super\/Worker nodes immediately per Fortinet\u2019s advisory<\/a>. Block external access to TCP 7900 as a workaround. Monitor phMonitor logs for anomalies and scan for IOCs using EDR tools.<\/p>\n

Fortinet urges prioritization given PoC availability and historical targeting. Enterprises relying on FortiSIEM for threat detection face irony: compromised SIEMs blind defenders to broader breaches.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post Fortinet FortiSIEM Vulnerability CVE-2025-64155 Actively Exploited in Attacks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Guru Baran
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Fortinet FortiSIEM Vulnerability CVE-2025-64155 Actively Exploited in Attacks Fortinet FortiSIEM vulnerability CVE-2025-64155 is under active exploitation, as confirmed by Defused through their honeypot deployments. This critical OS command injection flaw enables unauthenticated remote code execution, posing severe risks to enterprise security monitoring systems. CVE-2025-64155 stems from improper neutralization of special elements in OS commands within […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-9919","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9919"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9919"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9919\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9919"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9919"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9919"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}