Fortinet is warning a couple of distant unauthenticated command injection flaw in FortiSIEM that has in-the-wild exploit code, making it crucial for admins to use the most recent safety updates.
FortiSIEM is a central safety monitoring and analytics system used for logging, community telemetry, and safety incident alerts, serving as an integral a part of safety operation facilities, the place it is an important instrument within the fingers of IT ops groups and analysts.
The product is usually utilized by governments, giant enterprises, monetary establishments, healthcare suppliers, and managed safety service suppliers (MSSPs).
The flaw, tracked as CVE-2025-25256 and rated crucial (CVSS: 9.8), impacts a number of branches of SIEM, from 5.4 as much as 7.3.
“An improper neutralization of particular components utilized in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM could enable an unauthenticated attacker to execute unauthorized code or instructions by way of crafted CLI requests,” describes Fortinet.
Whereas Fortinet doesn’t outright state that the flaw was exploited as a zero-day, they did verify that purposeful exploit code exists for the flaw.
“Sensible exploit code for this vulnerability was discovered within the wild,” famous the seller.
Fortinet says exploitation of this flaw doesn’t produce distinctive IOCs to find out if a tool has been compromised.
This disclosure comes a day after GreyNoise warned of a large spike in brute-force assaults focusing on Fortinet SSL VPNs earlier this month, adopted by a swap to FortiManager. The community risk intelligence firm warned that spikes of malicious visitors typically precede the disclosure of a brand new vulnerability.
It’s unclear if Fortinet’s disclosure of CVE-2025-25256 is expounded to GreyNoise’s report.
Given the provision of an exploit proof of idea (PoC), organizations should apply the most recent safety updates for CVE-2025-25256 as quickly as potential by upgrading to one of many following FortiSIEM variations:
- FortiSIEM 7.3.2
- FortiSIEM 7.2.6
- FortiSIEM 7.1.8
- FortiSIEM 7.0.4
- FortiSIEM 6.7.10
FortiSIEM variations 5.4 to six.6 are additionally susceptible in all variations, however they’re not supported and won’t obtain a patch for the flaw. Directors managing older FortiSIEM variations are suggested emigrate to a more moderen, actively supported launch.
Fortinet additionally included a workaround of limiting entry to the phMonitor on port 7900, indicating that that is the entry level for malicious exploitation.
It is necessary to notice that such workarounds cut back publicity and purchase time till an improve might be carried out. Nevertheless, they don’t repair the underlying vulnerability.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and information exfiltration traits.
