Fortinet issues fixes for critical flaws in FortiSIEM and FortiFone

Threat summary

On January 13, 2026, Fortinet released advisories for two critical vulnerabilities affecting FortiSIEM (Fortinet's platform used for centralized log ingestion, correlation, and incident detection) and FortiFone (the vendor's voice‑over‑IP appliance).

Both products are widely deployed across enterprise and managed service provider environments.

Researchers published a proof‑of‑concept exploit for the first flaw, tracked as CVE‑2025‑64155, on the same day the updates were published. This vulnerability is an operating system command injection issue in the phMonitor function, an internal FortiSIEM management service that listens on Transmission Control Protocol port 7900.

The flaw is due to improper input handling in phMonitor. The service is network‑reachable and processes privileged backend commands without authentication, leading to a remote code execution vector. Fortinet assigned the issue a CVSS score of 9.4, confirming that Super and Worker nodes (two of the main FortiSIEM deployment roles) are affected, while Collector nodes are not.

The second flaw, CVE‑2025‑47855, affects the FortiFone web portal and allows anyone with network access to the interface to retrieve configuration information without logging in. This configuration-leak vulnerability exposes system settings that should be restricted and can support attacker reconnaissance. Exploitation requires only that the web portal is reachable; no credentials or user interaction are needed. Fortinet assigned a CVSS score of 9.3.

Both vulnerabilities were reported to Fortinet in 2025, then validated and patched before advisories were issued in 2026. Their CVE identifiers retain 2025 designations because CVEs are assigned based on the year of reservation, not disclosure.

Insights & mitigations

Both vulnerabilities are easy to exploit when the affected services are exposed, and the availability of proof-of-concept code increases the likelihood of opportunistic attacks.

Proper segmentation, restricted management interfaces, and firewall controls can reduce the likelihood of exploitation, even before patching.

Organizations should confirm whether the vulnerable services are reachable:

• FortiSIEM: Determine whether the phMonitor service on port 7900 is reachable from anything other than trusted internal systems. phMonitor was built for internal FortiSIEM component-to-component communication, not external access. Restricting access to port 7900 prevents untrusted systems from reaching the vulnerable service and reduces exposure.
• FortiFone: Check if the web portal is accessible from the internet or broad internal networks. Because both vulnerabilities are unauthenticated, simple network reachability is enough to make exploitation possible.

Organizations should also confirm that systems are running firmware released on January 13, 2026. Reviewing network access controls to ensure that only trusted internal systems can reach administrative or monitoring services further reduces risk.

In addition, environments should be reviewed for signs of probing or compromise.

• FortiSIEM: This includes unexpected traffic to port 7900, unusual processes running as administrative or root users, and anomalies in SIEM logs that could indicate tampering. Given FortiSIEM’s privileged role within most environments, it's also important to check for indicators of lateral movement, such as new administrative sessions originating from the SIEM appliance or the misuse of stored credentials.
• FortiFone: This includes repeated or unusual Hypertext Transfer Protocol requests to configuration endpoints may signal exploitation attempts.

Continuous monitoring and verification of appliance integrity remain important even after patches are applied.

Field Effect MDR users will be alerted via ARO if vulnerable systems are detected in their environment, providing clear guidance on steps recommended to mitigate the threat. Field Effect MDR helps mitigate this threat by continuously monitoring for abnormal behavior, including the actions a threat actor would take to exploit these vulnerabilities.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up