CyberSecurity News

Critical FortiSIEM Vulnerability Allows Remote Lets Attackers

A critical OS command injection vulnerability, disclosed by Fortinet on January 13, 2026, impacts its FortiSIEM product. This high-risk flaw permits unauthenticated attackers to execute arbitrary...

Marcus Rodriguez
Marcus Rodriguez
January 14, 2026 2 Min Read
3 0

A critical OS command injection vulnerability, disclosed by Fortinet on January 13, 2026, impacts its FortiSIEM product. This high-risk flaw permits unauthenticated attackers to execute arbitrary code.

Tracked as CVE-2025-64155, the issue stems from improper neutralization of special elements in OS commands (CWE-78) within the phMonitor component on port 7900. Attackers can craft malicious TCP requests to Super and Worker nodes, potentially resulting in full-system compromise.

With a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is rated Critical due to its network accessibility, low complexity, and lack of required privileges.

No user interaction is required, and exploitation could result in remote code execution, data theft, or persistence in environments that rely on FortiSIEM for security information and event management.

Affected Versions and Fixes

This flaw affects multiple FortiSIEM branches but leaves Collector nodes unaffected. Fortinet urges immediate upgrades or migrations, with a workaround of restricting access to TCP port 7900 via firewalls.

Version Affected Releases Solution
FortiSIEM Cloud Not affected Not Applicable
FortiSIEM 7.5 Not affected Not Applicable
FortiSIEM 7.4 7.4.0 Upgrade to 7.4.1 or above
FortiSIEM 7.3 7.3.0 through 7.3.4 Upgrade to 7.3.5 or above
FortiSIEM 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above
FortiSIEM 7.1 7.1.0 through 7.1.8 Upgrade to 7.1.9 or above
FortiSIEM 7.0 7.0.0 through 7.0.4 Migrate to a fixed release
FortiSIEM 6.7 6.7.0 through 6.7.10 Migrate to a fixed release

Organizations running vulnerable versions in production face elevated risks, especially in hybrid or on-premises SIEM deployments.

Security researcher Zach Hanley (@hacks_zach) of Horizon3.ai responsibly reported the bug under Fortinet’s program. The advisory (FG-IR-25-772) appeared on Fortinet’s PSIRT page, with NVD details pending full analysis. No evidence of active exploitation has surfaced yet, but the unauthenticated nature demands urgency.

Fortinet recommends auditing logs for anomalous TCP/7900 traffic and applying patches promptly. This incident underscores the need for least-privilege network segmentation in SIEM architectures.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts