CVE-2025-64155 is an OS command injection vulnerability found in Fortinet FortiSIEM versions 6.7.0 through 7.4.0. The vulnerability arises from improper neutralization of special elements in operating system commands, allowing an attacker to inject and execute arbitrary commands via specially crafted TCP requests. This flaw does not require authentication or user interaction, making it highly exploitable remotely over the network. FortiSIEM is a security information and event management (SIEM) platform used to monitor and analyze security events across enterprise networks. Exploitation of this vulnerability could allow attackers to gain unauthorized control over the FortiSIEM system, potentially leading to full compromise of the security monitoring infrastructure. This could result in attackers disabling security alerts, manipulating logs, or using the compromised system as a pivot point for further attacks. The vulnerability has a CVSS v3.1 score of 9.4, indicating critical severity with high impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild yet, the ease of exploitation and the critical nature of the affected systems make this a significant threat. Fortinet has not yet published patches or mitigation details, so organizations must rely on network-level defenses and monitoring to reduce risk until updates are available.

The impact on European organizations is potentially severe. FortiSIEM is widely used in enterprise and government sectors for centralized security monitoring and incident response. A successful attack could lead to unauthorized code execution on FortiSIEM servers, allowing attackers to disable or manipulate security event data, hide their activities, and gain persistent access to the network. This compromises the confidentiality and integrity of security logs and alerts, undermining an organization's ability to detect and respond to threats. Availability of the SIEM system could also be disrupted, impairing security operations. Critical infrastructure sectors such as finance, energy, telecommunications, and government agencies in Europe that rely on FortiSIEM for security monitoring are at heightened risk. The vulnerability's network-level exploitability without authentication increases the likelihood of targeted attacks or automated exploitation attempts. The absence of known exploits currently provides a window for proactive mitigation, but the threat landscape could rapidly evolve.

Given the lack of published patches at this time, European organizations should implement immediate compensating controls. These include restricting network access to FortiSIEM management interfaces using firewalls and network segmentation to limit exposure to untrusted networks. Deploy intrusion detection and prevention systems (IDS/IPS) to monitor and block suspicious TCP traffic patterns targeting FortiSIEM. Enable strict access controls and multi-factor authentication for administrative access to FortiSIEM. Conduct thorough logging and monitoring of FortiSIEM activity to detect anomalous behavior indicative of exploitation attempts. Organizations should engage with Fortinet support to obtain any available security advisories or beta patches. Regularly review and update incident response plans to address potential compromise scenarios involving SIEM systems. Once patches are released, prioritize immediate deployment after testing in controlled environments. Additionally, consider deploying virtual patching or application-layer firewalls that can filter malicious payloads targeting this vulnerability.