Fortinet has recently addressed a critical security vulnerability, CVE-2025-64155. This threat represents a severe danger to its FortiSIEM and FortiFone products. This OS injection vulnerability has a CVSS rating of 9.4 out of 10.0, meaning it’s pretty critical. It allows unauthenticated remote code execution, which can completely take over the affected appliances. The vulnerability was first found and reported on 8/14/2025 by independent cybersecurity researcher Zach Hanley.
This CVE affects FortiSIEM version 7.3.0 and below. Versions 6.7.0 through 6.7.10, 7.0.0 through 7.0.4, 7.1.0 through 7.1.8, 7.2.0 through 7.2.6, 7.3.0 through 7.3.4, and 7.4.0 are affected. CVEs CVE-2025-47853 In addition, FortiFone versions 3.0.13 through 3.0.23 were susceptible to a similar vulnerability CVE-2025-47855.
Details of the Vulnerability
CVE-2025-64155 is an unauthenticated PHP Object Injection vulnerability. This bug permits unauthenticated attackers to create arbitrary files and can result in remote code execution as the admin user. The vulnerability was located in FortiSIEM’s phMonitor service, which handles incoming requests for logging security events to Elasticsearch.
This weakness is due to a failure to properly neutralize special elements in an OS command. It is listed as CWE-78 and may allow attackers to execute arbitrary code through specially crafted TCP requests.
“An improper neutralization of special elements used in an OS command (‘OS command injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests,” – Fortinet
This vulnerability still lets attackers do arbitrary file writes. It further creates an arbitrary file overwrite privilege escalation vulnerability, allowing them to obtain root access and full control over the appliance in question.
Exploitation Observed
Cybersecurity company Defused Cyber Security reported seeing active targeted exploitation of CVE-2025-64155 from across the globe against its honeypots. Vulnerability description Attacks were limited to as few as six distinct IP addresses, underscoring the immediacy of users’ need to remediate this serious vulnerability.
Zach Hanley noted the severity of the situation, stating, “An unauthenticated argument injection vulnerability that leads to arbitrary file write, allowing for remote code execution as the admin user.” This highlights the serious risks ahead of all organizations using vulnerable versions of FortiSIEM and FortiFone.
Mitigation and Recommendations
Now, Fortinet has just reported a crucial flaw. All users of the vulnerable versions are encouraged to upgrade to patched versions to mitigate the risk associated with CVE-2025-64155. This is a sobering reminder from the cybersecurity company about the need to stay current with security protections to avoid potential access and exploitation.
Organizations need to be continually auditing their systems. They should be required to quickly release new secure versions that fix these critical vulnerabilities when they make them available.