HomePortfolioAdvisoryCritical FortiSIEM OS Command Injection Vulnerability (CVE-2025-25256) Under Active Exploitation

Critical FortiSIEM OS Command Injection Vulnerability (CVE-2025-25256) Under Active Exploitation

Critical FortiSIEM OS Command Injection Vulnerability (CVE-2025-25256) Under Active Exploitation

  • November 19, 2025
  • Posted by: Chernor Jalloh
  • Categories:
No Comments

THREAT OVERVIEW

SL-CSIRT warns all organizations of a critical OS Command Injection vulnerability affecting multiple versions of Fortinet’s FortiSIEM product. This flaw, tracked as CVE-2025-25256 with a CVSS score of 9.8 (Critical), allows unauthenticated remote attackers to execute arbitrary code or system commands via specially crafted CLI requests.
Fortinet has confirmed that exploit code is available and being actively used in the wild, posing a severe threat to unpatched systems. Detection is challenging as the exploitation produces no distinctive indicators of compromise (IoCs).

AFFECTED PRODUCTS

The vulnerability affects the following FortiSIEM versions:

• FortiSIEM 6.1 – 6.6 → Migrate to a fixed release

• FortiSIEM 6.7.0 – 6.7.9 → Upgrade to 6.7.10 or later

• FortiSIEM 7.0.0 – 7.0.3 → Upgrade to 7.0.4 or later

• FortiSIEM 7.1.0 – 7.1.7 → Upgrade to 7.1.8 or later

• FortiSIEM 7.2.0 – 7.2.5 → Upgrade to 7.2.6 or later

• FortiSIEM 7.3.0 – 7.3.1 → Upgrade to 7.3.2 or later

• FortiSIEM 7.4 → Not affected

IMPACT

Successful exploitation could allow attackers to:

• Execute arbitrary OS commands.

• Gain full administrative control over the affected system.

• Install additional malware or pivot to other network resources.

Given the public availability of exploit code and ongoing attacks, compromise could occur within minutes of exposure.

 

MITIGATION

Immediate actions are strongly advised:

1. Apply Security Updates: Upgrade to the fixed versions listed above without delay.

2. Restrict Network Access: Limit access to the phMonitor port (7900) to trusted IP addresses only.

3. Network Monitoring: Implement strict monitoring for unusual CLI requests or unauthorized command execution attempts.

4. Limit Internet Exposure: Ensure FortiSIEM instances are not directly accessible from the public internet.

5. Incident Preparedness: Review backup and recovery procedures in case of compromise.

 

REFERENCE

1. CVE MITRE – CVE-2025-25256

2. GreyNoise – Threat Intelligence Report on Fortinet Attack Traffic (Aug 2025)

3. SL-CSIRT 



This website uses cookies and asks your personal data to enhance your browsing experience. We are committed to protecting your privacy and ensuring your data is handled in compliance with the General Data Protection Regulation (GDPR).
Ok, I agree Privacy Policy