Cybersecurity

Cyber: Hackers Now Exploiting Critical Fortinet Fortisiem Flaw In Attacks

2026-01-16 0 views admin
Cyber: Hackers Now Exploiting Critical Fortinet Fortisiem Flaw In Attacks

A critical Fortinet FortiSIEM vulnerability with publicly available proof-of-concept exploit code is now being abused in attacks.

According to security researcher Zach Hanley at penetration testing company Horizon3.ai, who reported the vulnerability (CVE-2025-64155), it is a combination of two issues that allow arbitrary writes with admin permissions and privilege escalation to root access.

"An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests," Fortinet explained on Tuesday, when it released security updates to patch the flaw.

Horizon3.ai has published a technical write-up explaining that the root cause of the issue is the exposure of dozens of command handlers on the phMonitor service, which can be invoked remotely without authentication, and it released proof-of-concept exploit code that allows gaining code execution as root by abusing an argument injection to overwrite the /opt/charting/redishb.sh file.

The flaw affects FortiSIEM versions 6.7 to 7.5 and can be patched by upgrading to FortiSIEM 7.4.1 or later, 7.3.5 or later, 7.2.7 or later, or 7.1.9 or later. Customers using FortiSIEM 7.0.0 through 7.0.4 and FortiSIEM 6.7.0 through 6.7.10 are advised to migrate to a fixed release.

On Tuesday, Fortinet also shared a temporary workaround for admins who can't immediately apply security updates, requiring them to limit access to the phMonitor port (7900).

Two days later, threat intelligence firm Defused reported that threat actors are now actively exploiting the CVE-2025-64155 flaw in the wild.

"Fortinet FortiSIEM vulnerability CVE-2025-64155 is experience active, targeted exploitation in our honeypots," Defused warned.

​Horizon3.ai also provides indicators of compromise to help defenders identify already compromised systems. As the researchers explained, admins can find evidence of malicious abuse by checking the phMonitor message logs at /opt/phoenix/log/phoenix.logs for payload URLs on lines that contain PHL_ERROR entries.

Fortinet has yet to update its security advisory and flag the vulnerability as exploited in attacks. BleepingComputer also reached out to a Fortinet spokesperson to confirm the reports of active exploitation, but a response was not immediately available.

Source: BleepingComputer

🏷️ Tags

securityhackvulnerabilitycveattack

More from Cybersecurity

Cyber: Ai System Reduces Attack Reconstruction Time From Weeks To Hours

Cyber: Ai System Reduces Attack Reconstruction Time From Weeks To Hours

2026-01-16 0
Cyber: Microsoft: Windows 11 Update Causes Outlook Freezes For Pop Users

Cyber: Microsoft: Windows 11 Update Causes Outlook Freezes For Pop Users

2026-01-16 0
Cyber: Your Digital Footprint Can Lead Right To Your Front Door 2026

Cyber: Your Digital Footprint Can Lead Right To Your Front Door 2026

2026-01-16 0
Cyber: Lotuslite Backdoor Targets U.s. Policy Entities Using...

Cyber: Lotuslite Backdoor Targets U.s. Policy Entities Using...

2026-01-16 0

Trending

1

Tech: Go-legacy-winxp: Compile Golang 1.24 code for Windows XP

2026-01-15 • 4457 views
2

Tech: Data is the only moat

2026-01-15 • 4133 views
3

Tech: Pocket TTS: A high quality TTS that gives your CPU a voice

2026-01-15 • 3239 views
4

Tech: AWS European Sovereign Cloud

2026-01-15 • 2741 views
5

Tech: JuiceFS is a distributed POSIX file system built on top of Redis and S3

2026-01-15 • 2719 views