CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical OS Command Injection Vulnerability in FortiSIEM (CVE-2025-25256) Exploited in the Wild

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

Fortinet has disclosed a critical OS command injection vulnerability in FortiSIEM, identified as CVE-2025-25256. The flaw, with a CVSS score of 9.8, allows unauthenticated attackers to execute unauthorized code or commands via crafted CLI requests. Exploit code for this vulnerability has been observed in the wild. Affected versions include FortiSIEM 6.1 through 6.7.9 and 7.0.0 through 7.3.1. Fortinet advises upgrading to the latest versions and limiting access to the phMonitor port (7900) as a workaround. Additionally, a Fortinet FortiWeb path traversal vulnerability is being actively exploited to create new administrative users on exposed devices without requiring authentication. The vulnerability was silently patched in FortiWeb version 8.0.2. The exploitation activity was first detected early last month, and Fortinet has not assigned a CVE identifier or published an advisory on its PSIRT feed. Rapid7 observed an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum on November 6, 2025. The watchTowr team has released an artifact generator tool for the authentication bypass to help identify susceptible devices.

Timeline

  1. 14.11.2025 04:41 2 articles · 1d ago

    FortiWeb Path Traversal Vulnerability Exploited to Create Admin Users

    The vulnerability was silently patched in FortiWeb version 8.0.2. The exploitation activity was first detected early last month, and Fortinet has not assigned a CVE identifier or published an advisory on its PSIRT feed. Rapid7 observed an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum on November 6, 2025. The watchTowr team has released an artifact generator tool for the authentication bypass to help identify susceptible devices.

    Show sources
    Open in new tab
  2. 13.08.2025 14:37 2 articles · 3mo ago

    Critical OS Command Injection Vulnerability in FortiSIEM Exploited in the Wild

    Fortinet disclosed a critical OS command injection vulnerability (CVE-2025-25256) in FortiSIEM, with a CVSS score of 9.8. The flaw allows unauthenticated attackers to execute unauthorized code or commands via crafted CLI requests. Exploit code for this vulnerability has been observed in the wild. Affected versions include FortiSIEM 6.1 through 6.7.9 and 7.0.0 through 7.3.1. Fortinet advises upgrading to the latest versions and limiting access to the phMonitor port (7900) as a workaround.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical Remote Command Execution Vulnerability Exploited in CentOS Web Panel

A critical remote command execution vulnerability (CVE-2025-48703) in CentOS Web Panel (CWP) is being actively exploited. The flaw allows unauthenticated attackers to execute arbitrary shell commands as a valid user. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging federal entities to patch or discontinue use by November 25. The issue affects all CWP versions before 0.9.8.1204. The vulnerability was demonstrated in late June and reported to CWP on May 13. The fix was released on June 18 in version 0.9.8.1205. CISA did not provide details on the exploitation methods, targets, or origin of the malicious activity.

Open in new tab

Post SMTP Plugin Vulnerability Exploited to Hijack WordPress Admin Accounts

A critical vulnerability in the Post SMTP WordPress plugin, tracked as CVE-2025-11833, is being actively exploited to hijack administrator accounts. The flaw allows unauthenticated attackers to read logged emails, including password reset messages, leading to account takeover and full site compromise. The vulnerability affects all versions of Post SMTP from 3.6.0 and older, with over 400,000 downloads. The issue was reported on October 11 and patched on October 29. However, as of November 4, at least 210,000 sites remain vulnerable. Exploitation attempts began on November 1, with over 4,500 blocked attempts since then. The Post SMTP plugin is a popular email delivery solution for WordPress. The flaw allows unauthenticated attackers to read arbitrary logged emails, including password reset messages. The vulnerability was reported on October 11 and patched on October 29. However, as of November 4, at least 210,000 sites remain vulnerable. Exploitation attempts began on November 1, with over 4,500 blocked attempts since then.

Open in new tab

Active Exploitation of Critical Microsoft WSUS Flaw

A critical vulnerability in Microsoft Windows Server Update Service (WSUS), CVE-2025-59287, is being actively exploited in the wild. This flaw, with a CVSS score of 9.8, allows attackers to drop malicious payloads and execute arbitrary commands on infected hosts. The vulnerability affects WSUS versions 3.32.x and was discovered by Eye Security and Huntress. The Cybersecurity and Infrastructure Security Agency (CISA) has ordered U.S. government agencies to patch the flaw, which was added to the Known Exploited Vulnerabilities catalog. Organizations using WSUS are advised to apply the out-of-band security updates provided by Microsoft to mitigate the risk of exploitation. The flaw was originally patched by Microsoft as part of its Patch Tuesday updates, but attackers have since weaponized it to deploy .NET executables and Base64-encoded PowerShell scripts. Shadowserver is tracking over 2,800 WSUS instances with default ports exposed online. The vulnerability is a deserialization of untrusted data flaw that allows unauthenticated attackers to achieve remote code execution with system privileges by sending malicious encrypted cookies to the GetCookie() endpoint. A compromised WSUS server could potentially be used to distribute malicious updates to the entire network of client computers, making it particularly dangerous for large enterprises. Huntress advised isolating network access to WSUS and blocking inbound traffic to TCP ports 8530 and 8531 as remediation steps. The out-of-band (OOB) security update KB5070881 for CVE-2025-59287 broke hotpatching on some Windows Server 2025 devices. Microsoft has released a new update, KB5070893, to address the issue without disrupting hotpatching. Administrators are advised to install this update to maintain hotpatching functionality.

Open in new tab

Critical WSUS RCE Vulnerability Exploited in the Wild

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution.

Open in new tab

Critical Command Injection Vulnerabilities in TP-Link Omada Gateways

TP-Link Omada and Festa VPN routers are affected by six critical command injection vulnerabilities, including newly discovered CVE-2025-7850 and CVE-2025-7851. These flaws allow for arbitrary OS command execution and root access, potentially leading to full compromise, data theft, lateral movement, and persistence. The vulnerabilities affect multiple Omada gateway models and firmware versions. Firmware updates have been released to address these issues. TP-Link Omada gateways are full-stack solutions for small to medium businesses, including router, firewall, and VPN gateway functionalities. The flaws, CVE-2025-6542 and CVE-2025-6541, can be exploited remotely without authentication or via the web management interface. Two additional severe flaws, CVE-2025-8750 and CVE-2025-7851, can allow authenticated command injection and root access under certain conditions. The newly discovered vulnerabilities, CVE-2025-7850 and CVE-2025-7851, are due to an incomplete fix of a previous vulnerability, CVE-2024-21827, leaving residual debug code and insecure private key usage.

Open in new tab