Exploit code public for critical FortiSIEM command injection flaw

Technical details and a public exploit have been published for a critical vulnerability affecting Fortinet’s Security Information and Event Management (SIEM) solution that could be leveraged by a remote, unauthenticated attacker to execute commands or code.

The vulnerability is tracked as CVE-2025-25256, and is a combination of two issues that permit arbitrary write with admin permissions and privilege escalation to root access.

Researchers at penetration testing company Horizon3.ai reported the security issue in mid-August 2025. In early November, Fortinet addressed it in four out of five development branches of the product and announced this week that all vulnerable versions have been patched.

Fortinet describes the CVE-2025-25256 vulnerability as “an improper neutralization of special elements used in an OS command vulnerability in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.”

Horizon3.ai has published a detailed write-up explaining that the root cause of the issue is the exposure of dozens of command handlers on the phMonitor service, which can be invoked remotely without authentication.

The researchers say that this service has been the entry point for multiple FortiSIEM vulnerabilities over several years, like CVE-2023-34992 and CVE-2024-23108, and underline that ransomware groups like Black Basta have previously shown sincere interest in these flaws.

Along with technical details about CVE-2025-25256, the researchers have also published a demonstrative exploit. Since the vendor delivered the fix and published a security advisory, the researchers decided to share the exploit code.

The flaw impacts FortiSIEM versions from 6.7 to 7.5, and fixes were made available to the following releases:

• FortiSIEM 7.4.1 or above
• FortiSIEM 7.3.5 or above
• FortiSIEM 7.2.7 or above
• FortiSIEM 7.1.9 or above

FortiSIEM 7.0 and 6.7.0 are also impacted but are no longer supported, so they won’t receive a fix for CVE-2025-25256.

Fortinet clarified that this flaw does not impact FortiSIEM 7.5 and FortiSIEM Cloud.

The only workaround provided by the vendor for those unable to apply the security update immediately is to limit access to the phMonitor port (7900).

Horizon3.ai has also shared indicators of compromise that can help companies detect compromised systems. Looking at the logs for the messages received by phMonitor (/opt/phoenix/log/phoenix.logs), the line with ‘PHL_ERROR’ should include the URL for the payload and the file it is written to.

Secrets Security Cheat Sheet: From Sprawl to Control

Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.

Get the cheat sheet and take the guesswork out of secrets management.

Download Now