Fortinet has issued an urgent warning about a critical remote command injection vulnerability (CVE-2025-25256, CVSS 9.8) in FortiSIEM, a widely used security monitoring and analytics platform. The flaw affects multiple versions from 5.4 up to 7.3 and allows unauthenticated attackers to execute arbitrary code or commands via specially crafted CLI requests. Functional exploit code has already been found in the wild, though Fortinet says the attacks leave no clear indicators of compromise. FortiSIEM is heavily used by governments, large enterprises, financial institutions, healthcare providers, and MSSPs, making the risk particularly severe.
The issue follows recent warnings from GreyNoise about spikes in malicious traffic targeting Fortinet systems, though a direct link is unconfirmed. Fortinet advises immediate upgrades to patched versions (7.3.2, 7.2.6, 7.1.8, 7.0.4, 6.7.10), as older unsupported releases will not receive a fix. For those unable to update immediately, limiting access to the phMonitor service on port 7900 can reduce risk, but it is not a permanent solution. Prompt action is essential to prevent compromise given the active exploitation.
Read more...