What is CVE-2025-64155?

It is a critical OS command injection flaw in Fortinet FortiSIEM that allows unauthenticated remote code execution.

How are attackers using this flaw?

They send crafted TCP requests to the phMonitor service on port 7900 to run unauthorized code.

Which versions are affected?

FortiSIEM versions 6.7 through 7.5 are vulnerable to this flaw.

Is there a public exploit?

Yes, a proof-of-concept exploit has been published on GitHub by security researchers.

What is the immediate fix?

Update to a patched version such as 7.4.1 or restrict access to the phMonitor port 7900.

Attack

Attacks Target Freshly Patched Critical Fortinet Flaws

published: Jan. 22, 2026

Take action: This became urgent. FortiSIEM is actively attacked. Patch your FortiSIEM appliances to the latest version immediately and block port 7900 from any public access.

Learn More

The Fortinet FortiSIEM flaw, CVE-2025-64155 (CVSS score 9.8) is reported to be actively exploited. The vulnerability is a OS command injection flaw in FortiSIEM that allows unauthenticated remote code execution via port 7900.

Researchers at Defused report attacks right after the patch came out. These groups use IP addresses from China Mobile and Tencent to find targets.

The bug affects FortiSIEM versions 6.7 to 7.5.

Users should update to versions 7.4.1, 7.3.5, 7.2.7, or 7.1.9. Fortinet will not release fixes for versions 6.7.x or 7.0.x. If you use those, you must switch to a newer release. If you cannot update yet, block port 7900 to stop the exploit.

Attacks Target Freshly Patched Critical Fortinet Flaws

Read More
Apache Superset default secret key issue exploited by …
Python developers targeted in phishing campaign against PyPI …
Gogs Zero-Day vulnerability actively exploited
CISA reports actively exploited Critical HPE OneView flaw
Oracle WebLogic Servers Face Immediate Exploitation of Critical …