Fortinet has issued a critical security alert regarding a severe vulnerability in its FortiSIEM product. The flaw, identified as CVE-2025-25256, has a CVSS severity score of 9.8 out of 10, placing it in the “critical” risk category. According to Fortinet, there is already working exploit code circulating in the wild, which means attackers are actively targeting vulnerable systems.
The vulnerability is classified as an OS Command Injection flaw (CWE-78). It exists due to improper neutralization of special elements in certain OS commands within FortiSIEM. This security gap allows unauthenticated attackers to send specially crafted command-line interface (CLI) requests and execute arbitrary code or commands on the affected device.
If exploited successfully, attackers could:
-
Gain unauthorized access to the system
-
Run malicious scripts or commands
-
Potentially compromise connected networks and devices
Given that no authentication is required, this makes the flaw particularly dangerous for internet-exposed FortiSIEM instances.
Fortinet confirmed that multiple versions of FortiSIEM are impacted. The vulnerability affects:
-
FortiSIEM 6.1, 6.2, 6.3, 6.4, 6.5, 6.6 – Migrate to a fixed release
-
FortiSIEM 6.7.0 to 6.7.9 – Upgrade to 6.7.10 or later
-
FortiSIEM 7.0.0 to 7.0.3 – Upgrade to 7.0.4 or later
-
FortiSIEM 7.1.0 to 7.1.7 – Upgrade to 7.1.8 or later
-
FortiSIEM 7.2.0 to 7.2.5 – Upgrade to 7.2.6 or later
-
FortiSIEM 7.3.0 to 7.3.1 – Upgrade to 7.3.2 or later
-
FortiSIEM 7.4 – Not affected
One of the most alarming aspects of CVE-2025-25256 is that Fortinet has confirmed the existence of a working exploit. While the company has not disclosed exactly where the exploit was found or who is using it, the fact that it’s publicly available means the risk of mass exploitation is high.
Fortinet also mentioned that the exploit does not produce clear or distinctive indicators of compromise (IoCs). This makes it harder for security teams to detect attacks in their early stages, increasing the likelihood of successful breaches.
While applying the security patch remains the most effective solution, Fortinet has provided an interim workaround for organizations that cannot immediately update their systems.
Fortinet’s temporary security recommendation:
-
Restrict access to the phMonitor port (7900)
This reduces the potential attack surface, preventing remote attackers from sending malicious requests.
Additional security best practices:
-
Apply security updates immediately to the affected versions.
-
Limit internet exposure of FortiSIEM services by placing them behind a VPN or firewall.
-
Monitor logs for suspicious activity even if no clear IoCs are available.
-
Enforce least-privilege access policies to minimize potential damage in case of compromise.
This warning comes just one day after GreyNoise, a threat intelligence firm, reported a major spike in brute-force attack traffic targeting Fortinet SSL VPN devices. The attacks originated from dozens of IP addresses across the United States, Canada, Russia, and the Netherlands, probing Fortinet systems worldwide.
Although the spike in brute-force attempts is not directly linked to CVE-2025-25256, it highlights the growing interest of cybercriminals in exploiting Fortinet products. It also underscores the importance of securing network edge devices against both credential-based attacks and software vulnerabilities.
Several factors make this vulnerability especially dangerous:
Unauthenticated access – No login credentials are needed for exploitation.
Remote code execution – Attackers can run commands as if they had administrative control.
Widespread impact – Multiple FortiSIEM versions are vulnerable.
Active exploitation – Exploit code is already available and being used.
Difficult detection – Lack of clear IoCs makes spotting an attack challenging.
Given the critical nature of the flaw, organizations using FortiSIEM should treat this as an emergency patching priority.
The discovery of CVE-2025-25256 and the confirmation of its exploitation in the wild marks another reminder that security monitoring tools themselves can become attack targets. Organizations relying on FortiSIEM must act quickly by updating to a patched version or applying workarounds to reduce exposure.
Cybercriminals are increasingly targeting high-value network monitoring and security solutions because compromising them offers deep visibility into enterprise environments. A single exploited FortiSIEM instance could allow attackers to observe, manipulate, or completely disable security defenses.
Interesting Article : Microsoft Sets End-of-Support Date for Windows 11 23H2 Home and Pro Editions
Pingback: Cisco Patches Critical CVE-2025-20265 FMC RADIUS Flaw Allowing Remote Code Execution