Fortinet is alerting clients of a crucial safety flaw in FortiSIEM for which it mentioned there exists an exploit within the wild.
The vulnerability, tracked as CVE-2025-25256, carries a CVSS rating of 9.8 out of a most of 10.0.
“An improper neutralization of particular components utilized in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM could enable an unauthenticated attacker to execute unauthorized code or instructions through crafted CLI requests,” the corporate mentioned in a Tuesday advisory.
The next variations are impacted by the flaw –
- FortiSIEM 6.1, 6.2, 6.3, 6.4, 6.5, 6.6 (Migrate to a set launch)
- FortiSIEM 6.7.0 via 6.7.9 (Improve to six.7.10 or above)
- FortiSIEM 7.0.0 via 7.0.3 (Improve to 7.0.4 or above)
- FortiSIEM 7.1.0 via 7.1.7 (Improve to 7.1.8 or above)
- FortiSIEM 7.2.0 via 7.2.5 (Improve to 7.2.6 or above)
- FortiSIEM 7.3.0 via 7.3.1 (Improve to 7.3.2 or above)
- FortiSIEM 7.4 (Not affected)
Fortinet acknowledged in its advisory {that a} “sensible exploit code for this vulnerability was discovered within the wild,” however didn’t share any extra specifics concerning the nature of the exploit and the place it was discovered. It additionally famous that the exploitation code doesn’t seem to provide distinctive indicators of compromise (IoCs).
As workarounds, the community safety firm is recommending that organizations restrict entry to the phMonitor port (7900).
The disclosure comes a day after GreyNoise warned of a “vital spike” in brute-force site visitors geared toward Fortinet SSL VPN gadgets, with dozens of IP addresses from the US, Canada, Russia, and the Netherlands probing gadgets positioned internationally.
