A critical vulnerability in Fortinet's Security Information and Event Management (SIEM) platform, tracked as CVE-2025-25256, allows unauthenticated remote attackers to execute arbitrary commands. The flaw is a combination of issues that enable unauthorized writes with administrative privileges and escalation to root access. Researchers from Horizon3.ai discovered the vulnerability in the phMonitor service, which has been a recurring weak point in FortiSIEM over the years.
The vulnerability affects FortiSIEM versions 6.7 through 7.5, with patches available for supported branches 7.1 through 7.4. However, versions 7.0 and 6.7 are no longer supported and will not receive fixes. Fortinet states that the flaw does not impact FortiSIEM 7.5 or its cloud offering. As a temporary workaround, administrators are advised to restrict network access to the phMonitor service on port 7900.
Horizon3.ai has published a detailed analysis and proof-of-concept exploit code, noting that similar vulnerabilities in the same service have previously attracted ransomware groups like Black Basta. Organizations are urged to apply the available updates immediately and monitor logs for specific error messages that may indicate exploitation attempts. This disclosure highlights the ongoing security challenges in widely used network monitoring and management solutions.
Read more...