Which FortiSIEM versions are affected by CVE-2025-25256?

Affected FortiSIEM versions include 7.3.0 through 7.3.1, 7.2.0 through 7.2.5, 7.1.0 through 7.1.7, 7.0.0 through 7.0.3, 6.7.0 through 6.7.9, and older branches including 6.6, 6.5, 6.4, 6.3, 6.2, 6.1, and 5.4. FortiSIEM 7.4, released in late July 2025, is not affected.

How should organizations fix CVE-2025-25256?

Organizations should upgrade to the latest patched versions: version 7.3 users should upgrade to 7.3.2 or above, version 7.2 users to 7.2.6 or above, version 7.1 users to 7.1.8 or above, version 7.0 users to 7.0.4 or above, and version 6.7 users to 6.7.10 or above. Organizations running FortiSIEM versions 6.1 through 6.6 need to migrate to fixed releases.

What makes CVE-2025-25256 particularly dangerous to detect?

The exploit code does not appear to produce distinctive indicators of compromise (IoCs), making detection of attacks using this vulnerability particularly difficult for security teams.

What can attackers accomplish by exploiting CVE-2025-25256?

Attackers can execute arbitrary commands on vulnerable FortiSIEM systems without authentication. This allows them to bypass authentication mechanisms and execute unauthorized code, potentially leading to complete system compromise.

What is FortiSIEM and why is this vulnerability significant?

FortiSIEM is Fortinet's Security Information and Event Management platform used by organizations for security monitoring and incident response. A vulnerability in such a critical security platform is particularly significant as it could compromise an organization's entire security monitoring capabilities.

Which FortiSIEM version is safe from CVE-2025-25256?

FortiSIEM 7.4, which was released in late July 2025, is not affected by CVE-2025-25256. Organizations can also use the specific patched versions mentioned for each branch.

What should organizations do immediately about CVE-2025-25256?

Organizations should immediately upgrade their FortiSIEM installations to the latest patched versions or, if immediate upgrading isn't possible, implement the workaround by limiting access to port 7900 to trusted internal hosts only. Given the active exploitation, this should be treated as an emergency patch priority.

Advisory

Critical remote code execution flaw in FortiSIEM actively exploited

Q: What is CVE-2025-25256 and why is it critical?

CVE-2025-25256 is a critical security vulnerability in Fortinet's FortiSIEM platform with a CVSS score of 9.8. It's an OS Command Injection vulnerability caused by improper neutralization of special elements used in operating system commands, allowing unauthenticated attackers to bypass authentication mechanisms and execute arbitrary commands on vulnerable FortiSIEM systems.

Q: Is CVE-2025-25256 being actively exploited?

Yes, Fortinet is reporting that this vulnerability is being actively exploited. Security researchers have confirmed that working exploit code has been discovered in active use, and threat actors are already weaponizing this flaw against real-world targets.

Q: Is there a workaround for CVE-2025-25256 if immediate upgrading isn't possible?

Yes, as a workaround for organizations unable to upgrade immediately, Fortinet recommends limiting access to the phMonitor port 7900 to trusted internal hosts and IP addresses only.

published: Aug. 13, 2025

Take action: If you have FortiSIEM, block external access to port 7900 until you can update, then plan an urgent patch. Attackers are already exploiting this flaw to take complete control without any login credentials. Since there is a PoC exploit published, this is becoming very urgent.

Learn More

Fortinet is reporting an actively exploited critical security vulnerability in its FortiSIEM platform that allows unauthenticated attackers to execute arbitrary commands.

The vulnerability is tracked as CVE-2025-25256, (CVSS score 9.8) - OS Command Injection- is caused by improper neutralization of special elements used in operating system command enabling attackers to bypass authentication mechanisms and execute unauthorized code on vulnerable FortiSIEM systems.

Security researchers have confirmed that working exploit code has been discovered in active use. Threat actors are already weaponizing this flaw against real-world targets. The exploit code does not appear to produce distinctive indicators of compromise (IoCs), making detection difficult.

Affected FortiSIEM versions:

7.3.0 through 7.3.1,
7.2.0 through 7.2.5,
7.1.0 through 7.1.7,
7.0.0 through 7.0.3,
6.7.0 through 6.7.9,
Older branches including 6.6, 6.5, 6.4, 6.3, 6.2, 6.1, and 5.4

Organizations running FortiSIEM versions 6.1 through 6.6 need to migrate to fixed releases. For newer versions there are upgrade paths:

version 7.3 users should upgrade to 7.3.2 or above,
version 7.2 users should upgrade to 7.2.6 or above.
version 7.1 users should upgrade to 7.1.8 or above
version 7.0 users should upgrade to 7.0.4 or above,
version 6.7 users should upgrade to 6.7.10 or above

FortiSIEM 7.4, which was released in late July 2025, is not affected.

As a workaround for organizations unable to upgrade immediately, Fortinet recommends limiting access to the phMonitor port 7900 to trusted internal hosts and IP addresses only.

Update - as of 13th of January 2026, Researchers at Horizon3.ai has published a detailed write-up explaining that the root cause of the issue and they released a PoC exploit.

Critical remote code execution flaw in FortiSIEM actively exploited

Read More
Maximum severity Remote Code Execution flaw in MITRE …
Here we go again: Progress reports maximum severity …
Ubiquiti reports critical command injection flaw in UniFi …
Multiple vulnerabilities reported in End-of-Life D-Link DIR-878 routers, …
Replace Cisco SPA300, SPA500 IP phones - critically …