Fortinet disclosed a critical vulnerability (CVE-2025-64155) in its FortiSIEM product, specifically affecting the phMonitor service responsible for health monitoring, task distribution, and inter-node communication. This service listens on TCP port 7900 and exposes several command handlers that do not require authentication. The vulnerability is an OS command injection (CWE-78) caused by improper neutralization of special elements in OS commands. An attacker can send crafted TCP requests to phMonitor, injecting arguments that lead to arbitrary file writes on disk as the admin user. This initial injection allows writing a reverse shell script to "/opt/charting/redishb.sh," a file executed every minute by a root-privileged cron job. Consequently, the attacker can escalate privileges from admin to root, gaining full control over the FortiSIEM appliance. The flaw affects multiple FortiSIEM versions from 6.7.0 through 7.4.0, with fixed versions available and FortiSIEM Cloud and version 7.5 unaffected. The vulnerability was responsibly disclosed by researcher Zach Hanley in August 2025. Fortinet advises upgrading to patched versions and limiting network access to port 7900 to mitigate exploitation risk. No active exploitation has been reported yet, but the vulnerability's characteristics make it highly exploitable and dangerous.

For European organizations, this vulnerability poses a significant risk due to FortiSIEM's role in security event management and monitoring. Successful exploitation allows attackers to gain unauthenticated remote code execution and full root control over FortiSIEM appliances, potentially leading to complete compromise of security monitoring infrastructure. This can result in attackers disabling or manipulating security logs, evading detection, and using the compromised system as a foothold for lateral movement within networks. Critical sectors such as finance, energy, telecommunications, and government agencies relying on FortiSIEM for real-time security analytics are particularly vulnerable. The ability to escalate privileges to root exacerbates the threat, enabling attackers to install persistent backdoors or disrupt operations. Given the unauthenticated nature and remote access vector, the vulnerability could be exploited by external threat actors or insider threats with network access, increasing the attack surface. The lack of known exploits in the wild provides a window for proactive defense, but the high severity demands urgent remediation to prevent potential widespread impact.

1. Immediately upgrade FortiSIEM appliances to the fixed versions as specified by Fortinet: 6.7.11 or later, 7.0.5 or later, 7.1.9 or later, 7.2.7 or later, 7.3.5 or later, and 7.4.1 or later. 2. Restrict network access to TCP port 7900 on FortiSIEM Super and Worker nodes using firewall rules or network segmentation to limit exposure to trusted management networks only. 3. Monitor network traffic for unusual or unauthorized connections to port 7900 and implement intrusion detection signatures targeting anomalous phMonitor requests. 4. Audit FortiSIEM logs and system integrity for signs of compromise, focusing on unexpected file modifications, especially the cron-executed shell script at "/opt/charting/redishb.sh." 5. Employ multi-factor authentication and strict access controls on FortiSIEM management interfaces to reduce risk from lateral movement post-compromise. 6. Conduct regular vulnerability assessments and penetration testing focused on FortiSIEM deployments to identify residual risks. 7. Maintain up-to-date incident response plans that include scenarios involving security monitoring infrastructure compromise. 8. Coordinate with Fortinet support and subscribe to security advisories for timely updates on related vulnerabilities and patches.