CVE-2025-64155 – Critical RCE in Fortinet FortiSIEM

PravinKarthik

5 hours ago

Technical Breakdown

Attackers send crafted TCP requests to the phMonitor service on port 7900, exploiting improper input sanitization in storage configuration handling (e.g., NFS/elastic types). This bypasses wrappers like addParaSafe, enabling shell command execution without authentication.The phMonitorProcess::initEventHandler parses XML payloads, logging activity in /opt/phoenix/log/phoenix.logs with PHL_ERROR markers showing payloads and file writes – key for detection.

Affected Versions

Branch	Vulnerable Range	Fixed Versions
7.4.x	All	N/A (upgrade branch)^[web:3]
7.3.x	7.3.0-7.3.1	7.3.2+^[web:3]
7.2.x	Earlier	7.2.6+^[web:3]
7.1.x	Earlier	7.1.8+^[web:3]
7.0.x	7.0.0-7.0.3	7.0.4+^[web:3]
6.7.x	6.7.0-6.7.9	6.7.10+^[web:3]

FortiSIEM Cloud unaffected; on-premises with exposed ports at highest risk for log tampering, credential theft, and ransomware pivots.

Disclosure Timeline

August 14, 2025: Horizon3.ai reports to Fortinet PSIRT.
September 16, 2025: Fortinet confirms reproduction.
November 5, 2025: 90-day deadline query; one branch delayed.
January 12-14, 2026: Public disclosure, patches, GitHub PoC release.

Follows prior FortiSIEM flaws like CVE-2023-34992 and CVE-2024-23108, plus CVE-2025-25256 (August 2025, in-the-wild).

Indicators and Detection

Monitor phoenix.logs for PHL_ERROR with web URLs or anomalous storage requests. Horizon3.ai’s GitHub offers PoC and IoCs; no CISA KEV yet, but track for updates.

Recommendations

Patch Now: Upgrade per FortiGuard FG-IR-25-772.
Network Controls: Block TCP/7900 externally; use firewalls.
Hunt: Scan logs for exploits; review cron jobs for tampering.
Monitor: Watch CISA, NVD for KEV addition given ransomware interest (e.g., Black Basta chats).

See Horizon3.ai deep-dive and Fortinet advisory for full exploit details.

Technical Breakdown

Affected Versions

Disclosure Timeline

Indicators and Detection

Recommendations

Share this: