Fortinet is warning a few distant unauthenticated command injection flaw in FortiSIEM that has in-the-wild exploit code, making it crucial for admins to use the newest safety updates.
FortiSIEM is a central safety monitoring and analytics system used for logging, community telemetry, and safety incident alerts, serving as an integral a part of safety operation facilities, the place it is an important device within the fingers of IT ops groups and analysts.
The product is usually utilized by governments, giant enterprises, monetary establishments, healthcare suppliers, and managed safety service suppliers (MSSPs).
The flaw, tracked as CVE-2025-25256 and rated crucial (CVSS: 9.8), impacts a number of branches of SIEM, from 5.4 as much as 7.3.
“An improper neutralization of particular components utilized in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM could enable an unauthenticated attacker to execute unauthorized code or instructions through crafted CLI requests,” describes Fortinet.
Whereas Fortinet doesn’t outright state that the flaw was exploited as a zero-day, they did affirm that purposeful exploit code exists for the flaw.
“Sensible exploit code for this vulnerability was discovered within the wild,” famous the seller.
Fortinet says exploitation of this flaw doesn’t produce distinctive IOCs to find out if a tool has been compromised.
This disclosure comes a day after GreyNoise warned of a huge spike in brute-force assaults concentrating on Fortinet SSL VPNs earlier this month, adopted by a change to FortiManager. The community menace intelligence firm warned that spikes of malicious site visitors usually precede the disclosure of a brand new vulnerability.
It’s unclear if Fortinet’s disclosure of CVE-2025-25256 is said to GreyNoise’s report.
Given the supply of an exploit proof of idea (PoC), organizations should apply the newest safety updates for CVE-2025-25256 as quickly as attainable by upgrading to one of many following FortiSIEM variations:
- FortiSIEM 7.3.2
- FortiSIEM 7.2.6
- FortiSIEM 7.1.8
- FortiSIEM 7.0.4
- FortiSIEM 6.7.10
FortiSIEM variations 5.4 to six.6 are additionally susceptible in all variations, however they’re not supported and won’t obtain a patch for the flaw. Directors managing older FortiSIEM variations are suggested emigrate to a more moderen, actively supported launch.
Fortinet additionally included a workaround of limiting entry to the phMonitor on port 7900, indicating that that is the entry level for malicious exploitation.
It is essential to notice that such workarounds cut back publicity and purchase time till an improve could be carried out. Nevertheless, they don’t repair the underlying vulnerability.
46% of environments had passwords cracked, practically doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration traits.
