InfoSecBulletin Cybersecurity for mankind
A critical Fortinet FortiSIEM vulnerability with publicly available proof-of-concept exploit code is now being abused in attacks.
Security researcher Zach Hanley from Horizon3.ai reported vulnerability CVE-2025-64155, which combines two issues that enable arbitrary writes with admin permissions and privilege escalation to root access.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
“An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests,” Fortinet explained on Tuesday, when it released security updates to patch the flaw.
Horizon3.ai released a technical report identifying that the problem is due to many command handlers in the phMonitor service being accessed remotely without authentication. They provided proof-of-concept exploit code that can achieve root code execution by using argument injection to overwrite the /opt/charting/redishb.sh file.
The flaw exists in FortiSIEM versions 6.7 to 7.5, which can be fixed by upgrading to FortiSIEM 7.4.1 or later, 7.3.5 or later, 7.2.7 or later, or 7.1.9 or later. Users of FortiSIEM 7.0.0 to 7.0.4 and 6.7.0 to 6.7.10 should upgrade to a secure version.
On Tuesday, Fortinet also shared a temporary workaround for admins who can’t immediately apply security updates, requiring them to limit access to the phMonitor port (7900).
Defused reported that threat actors are actively exploiting the CVE-2025-64155 flaw in the wild two days later.
“Fortinet FortiSIEM vulnerability CVE-2025-64155 is experience active, targeted exploitation in our honeypots,” Defused warned.
Horizon3.ai offers indicators of compromise to aid defenders in spotting compromised systems. Researchers noted that admins can look for signs of malicious activity by reviewing the phMonitor message logs at /opt/phoenix/log/phoenix.logs, specifically for payload URLs associated with PHL_ERROR entries.
Fortinet has yet to update its security advisory and flag the vulnerability as exploited in attacks as reported by BleepingComputer.
