Critical FortiSIEM vulnerability patched as public exploit circulates

On August 13, 2025, Fortinet issued an urgent advisory regarding a critical flaw affecting multiple versions of its FortiSIEM platform, noting that "practical exploit code for this vulnerability was found in the wild."

FortiSIEM is widely deployed by managed service providers (MSPs) and enterprise security teams to aggregate and analyze logs, events, and alerts across complex infrastructures.

The flaw, tracked as CVE-2025-25256 with a CVSS score of 9.8, is an OS Command Injection vulnerability (CWE-78) that allows unauthenticated threat actors to execute arbitrary commands or code on affected systems by sending malicious command-line interface (CLI) requests.

The affected versions include FortiSIEM 5.4 through 7.3.1, including legacy branches no longer supported with security updates. Fortinet confirmed that FortiSIEM 7.4 is not impacted, and addressed CVE-2025-25256 in versions:

• 7.3.2
• 7.2.6
• 7.1.8
• 7.0.4
• 6.7.10

Organizations unable to upgrade immediately are advised to restrict access to the phMonitor port (TCP 7900), which facilitates internal component communication and has been identified as a potential vector for exploitation.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

CVE-2025-25256 builds on the same attack surface as previous FortiSIEM flaws, CVE-2023-34992 and CVE-2024-23108, again targeting internal CLI handling over TCP port 7900 for unauthenticated command execution. These cases underscore the recurring risk posed by insecure input handling within internal FortiSIEM components exposed through port 7900.

The disclosure follows reports on a recent surge in brute-force traffic targeting Fortinet SSL VPN devices, suggesting broader interest from threat actors in Fortinet’s ecosystem. While Fortinet has not disclosed the origin or scope of the exploit activity, the presence of practical exploit code in the wild underscores the urgency to assess exposure and implement mitigations immediately.

We recommend upgrading FortiSIEM to the latest patched versions. If immediate patching is not feasible, restrict external access to TCP port 7900 to limit exposure, and monitor for anomalous CLI activity.

Ensure that legacy FortiSIEM versions no longer supported by Fortinet are decommissioned or isolated from production environments.