Fortinet patched a severe unauthenticated remote command injection flaw in FortiSIEM on January 13, 2026, tracked as CVE-2025-64155 with CVSS 9.4.Discovered by Horizon3.ai in August 2025, it chains argument injection for arbitrary file writes as admin with cron-based privilege escalation to root.
Technical Breakdown
Attackers send crafted TCP requests to the phMonitor service on port 7900, exploiting improper input sanitization in storage configuration handling (e.g., NFS/elastic types). This bypasses wrappers like addParaSafe, enabling shell command execution without authentication.The phMonitorProcess::initEventHandler parses XML payloads, logging activity in /opt/phoenix/log/phoenix.logs with PHL_ERROR markers showing payloads and file writes – key for detection.
Affected Versions
| Branch | Vulnerable Range | Fixed Versions |
|---|---|---|
| 7.4.x | All | N/A (upgrade branch)[web:3] |
| 7.3.x | 7.3.0-7.3.1 | 7.3.2+[web:3] |
| 7.2.x | Earlier | 7.2.6+[web:3] |
| 7.1.x | Earlier | 7.1.8+[web:3] |
| 7.0.x | 7.0.0-7.0.3 | 7.0.4+[web:3] |
| 6.7.x | 6.7.0-6.7.9 | 6.7.10+[web:3] |
FortiSIEM Cloud unaffected; on-premises with exposed ports at highest risk for log tampering, credential theft, and ransomware pivots.
Disclosure Timeline
- August 14, 2025: Horizon3.ai reports to Fortinet PSIRT.
- September 16, 2025: Fortinet confirms reproduction.
- November 5, 2025: 90-day deadline query; one branch delayed.
- January 12-14, 2026: Public disclosure, patches, GitHub PoC release.
Follows prior FortiSIEM flaws like CVE-2023-34992 and CVE-2024-23108, plus CVE-2025-25256 (August 2025, in-the-wild).
Indicators and Detection
Monitor phoenix.logs for PHL_ERROR with web URLs or anomalous storage requests. Horizon3.ai’s GitHub offers PoC and IoCs; no CISA KEV yet, but track for updates.
Recommendations
- Patch Now: Upgrade per FortiGuard FG-IR-25-772.
- Network Controls: Block TCP/7900 externally; use firewalls.
- Hunt: Scan logs for exploits; review cron jobs for tampering.
- Monitor: Watch CISA, NVD for KEV addition given ransomware interest (e.g., Black Basta chats).
See Horizon3.ai deep-dive and Fortinet advisory for full exploit details.
