Critical FortiSIEM Flaw: Fortinet Urges Immediate Patching as Public Exploit Circulates
Fortinet has disclosed a critical vulnerability in its FortiSIEM system, already accompanied by a working exploit circulating publicly. The flaw enables a remote, unauthenticated attacker to execute arbitrary commands on the targeted system, making the installation of security updates an urgent priority for all administrators.
FortiSIEM is a comprehensive platform for centralized security event monitoring and analytics. It collects and processes logs, network telemetry, and incident notifications, empowering operational and analytical teams to detect and investigate attacks in real time. The solution is widely deployed in government agencies, banks, insurance companies, healthcare institutions, and managed security service providers, where it plays a pivotal role in the operations of SOC centers.
The vulnerability, identified as CVE-2025-25256, carries the maximum CVSS severity score of 9.8. It affects a broad range of FortiSIEM versions — from branch 5.4 through 7.3, inclusive. At its core, the flaw stems from improper filtering of special characters in the operating system command line (CWE-78), allowing a specially crafted request to the CLI interface to result in unauthorized code execution.
While Fortinet has not explicitly stated that the flaw was exploited as a zero-day, it has confirmed that a working exploit has already been observed “in the wild.” The company also notes that exploitation of CVE-2025-25256 leaves no distinctive indicators of compromise by which an attack could be conclusively detected — a factor that greatly complicates post-incident investigations.
The disclosure comes just one day after GreyNoise warned of a sharp rise in password-spraying attacks on Fortinet SSL VPN, followed by scanning activity targeting FortiManager. Analysts noted that such spikes in activity often precede the public revelation of a significant new vulnerability in Fortinet products. Whether these incidents are linked to the discovery of CVE-2025-25256 remains unclear.
Given the existence of publicly available, exploitation-ready proof-of-concept code, Fortinet strongly urges users to update to fixed versions: FortiSIEM 7.3.2, 7.2.6, 7.1.8, 7.0.4, or 6.7.10. All releases from 5.4 to 6.6 are also vulnerable but have reached end-of-support status and will not receive patches. Organizations running these legacy systems should plan an upgrade to a currently supported release.
As an interim mitigation, the company recommends restricting access to the phMonitor component on port 7900, which appears to be leveraged as the attack entry point. However, Fortinet warns that this measure merely reduces risk and buys time for patch preparation — it does not address the root cause of the vulnerability.
