A critical vulnerability identified as CVE-2025-64155 in Fortinet’s FortiSIEM security platform has prompted the immediate release of proof-of-concept (PoC) exploit code. This development significantly heightens the urgency for organizations to apply necessary patches to their systems. The flaw may enable unauthenticated, remote attackers to execute unauthorized code or commands on vulnerable FortiSIEM deployments through specially crafted TCP requests.
The vulnerability specifically targets the phMonitor service, described by experts as the “nervous system” of the security information and event management (SIEM) platform. According to Scott Caveza, senior staff research engineer at Tenable, “This flaw allows attackers to write arbitrary code into a file executed as the root user, gaining unauthenticated code execution.” He emphasized that this creates a scenario where a company’s defensive headquarters could become a “silent staging ground for lateral movement” by malicious actors.
Discovered and reported privately by Zach Hanley, a researcher at Horizon3.ai, CVE-2025-64155 has been acknowledged by Fortinet, which revealed its existence earlier this week. The company has since issued fixes for all affected supported versions of FortiSIEM. Customers are advised to upgrade to versions 7.4.1 or above, 7.3.5 or above, 7.2.7 or above, or 7.1.9 or above. Users still operating on FortiSIEM versions 7.0.x or 6.7.x are encouraged to migrate to one of the patched releases.
For organizations unable to upgrade immediately, administrators should restrict access to the phMonitor port, which operates on TCP port 7900. It is important to note that CVE-2025-64155 does not impact FortiSIEM Cloud or the latest version, FortiSIEM 7.5. Additionally, not all nodes in a FortiSIEM deployment are affected; while Supervisor and Worker nodes are vulnerable, Collector nodes used for log ingestion remain secure.
Hanley initially uncovered CVE-2025-64155 while examining a previously addressed FortiSIEM vulnerability, CVE-2025-25256, which had also featured exploit code detected in the wild. Although Fortinet has not confirmed if attackers exploited this earlier flaw, it appears that exploitation of CVE-2025-25256 does not generate distinctive indicators of compromise. In contrast, successful exploitation of CVE-2025-64155 is expected to leave traces.
According to researchers at Horizon3.ai, security teams can monitor logs for suspicious messages directed at the phMonitor service. Specific logs may contain PHL_ERROR entries alongside attacker-supplied URLs and file paths indicating where the malicious payload has been written.
With the release of the PoC exploit code, the cybersecurity community faces a pressing challenge. Organizations must act swiftly to mitigate risks associated with this vulnerability to safeguard their systems and sensitive data.
