CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical OS Command Injection Vulnerability in FortiSIEM (CVE-2025-64155) Exploited in the Wild

First reported
Last updated
2 unique sources, 5 articles

Summary

Hide ▲

Fortinet has disclosed a critical OS command injection vulnerability in FortiSIEM, identified as CVE-2025-64155. The flaw, with a CVSS score of 9.4, allows unauthenticated attackers to execute unauthorized code or commands via crafted TCP requests. The vulnerability affects Super and Worker nodes in FortiSIEM versions 6.7.0 through 6.7.10, 7.0.0 through 7.0.4, 7.1.0 through 7.1.8, 7.2.0 through 7.2.6, 7.3.0 through 7.3.4, and 7.4.0. The flaw involves an unauthenticated argument injection vulnerability leading to arbitrary file write and a file overwrite privilege escalation vulnerability leading to root access. Fortinet advises upgrading to the latest versions and limiting access to the phMonitor port (7900) as a workaround. Additionally, a Fortinet FortiWeb path traversal vulnerability is being actively exploited to create new administrative users on exposed devices without requiring authentication. The vulnerability was silently patched in FortiWeb version 8.0.2. The exploitation activity was first detected early last month, and Fortinet has not assigned a CVE identifier or published an advisory on its PSIRT feed. Rapid7 observed an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum on November 6, 2025. The watchTowr team has released an artifact generator tool for the authentication bypass to help identify susceptible devices.

Timeline

  1. 14.01.2026 13:53 1 articles · 1d ago

    Fortinet Releases Fixes for Critical FortiFone Vulnerability

    Fortinet has shipped fixes for another critical security vulnerability in FortiFone (CVE-2025-47855, CVSS score: 9.3) that could allow an unauthenticated attacker to obtain device configuration via a specially crafted HTTP(S) request to the Web Portal page. The vulnerability affects FortiFone versions 3.0.13 through 3.0.23 and 7.0.0 through 7.0.1. Fortinet recommends upgrading to the latest versions for optimal protection.

    Show sources
    Open in new tab
  2. 14.11.2025 04:41 2 articles · 2mo ago

    FortiWeb Path Traversal Vulnerability Exploited to Create Admin Users

    The vulnerability was silently patched in FortiWeb version 8.0.2. The exploitation activity was first detected early last month, and Fortinet has not assigned a CVE identifier or published an advisory on its PSIRT feed. Rapid7 observed an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum on November 6, 2025. The watchTowr team has released an artifact generator tool for the authentication bypass to help identify susceptible devices.

    Show sources
    Open in new tab
  3. 13.08.2025 14:37 4 articles · 5mo ago

    Critical OS Command Injection Vulnerability in FortiSIEM Exploited in the Wild

    The vulnerability is tracked as CVE-2025-25256, and is a combination of two issues that permit arbitrary write with admin permissions and privilege escalation to root access. Researchers at penetration testing company Horizon3.ai reported the security issue in mid-August 2025. In early November, Fortinet addressed it in four out of five development branches of the product and announced this week that all vulnerable versions have been patched. The root cause of the issue is the exposure of dozens of command handlers on the phMonitor service, which can be invoked remotely without authentication. The researchers say that this service has been the entry point for multiple FortiSIEM vulnerabilities over several years, like CVE-2023-34992 and CVE-2024-23108. The flaw impacts FortiSIEM versions from 6.7 to 7.5, and fixes were made available to the following releases: FortiSIEM 7.4.1 or above, FortiSIEM 7.3.5 or above, FortiSIEM 7.2.7 or above, FortiSIEM 7.1.9 or above. FortiSIEM 7.0 and 6.7.0 are also impacted but are no longer supported, so they won’t receive a fix for CVE-2025-25256. Fortinet clarified that this flaw does not impact FortiSIEM 7.5 and FortiSIEM Cloud. Horizon3.ai has also shared indicators of compromise that can help companies detect compromised systems. Looking at the logs for the messages received by phMonitor (/opt/phoenix/log/phoenix.logs), the line with 'PHL_ERROR' should include the URL for the payload and the file it is written to.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

High-Severity DoS Vulnerability in Palo Alto Networks Firewalls

Palo Alto Networks has patched a high-severity DoS vulnerability (CVE-2026-0227) affecting PAN-OS firewalls (versions 10.1 and later) and Prisma Access configurations with GlobalProtect enabled. The flaw allows unauthenticated attackers to disable firewall protections through repeated DoS attacks, forcing the firewall into maintenance mode. A proof-of-concept (PoC) exploit exists, and the vulnerability arises from an improper check for exceptional conditions (CWE-754). Most cloud-based Prisma Access instances have been patched, but some remain in progress. No evidence of exploitation has been found yet. Palo Alto Networks has released security updates for all affected versions, advising admins to upgrade to the latest releases. The vulnerability highlights the ongoing targeting of Palo Alto firewalls, which have been frequently exploited in recent attacks.

Open in new tab

Active Exploitation of FortiOS SSL VPN 2FA Bypass Vulnerability (CVE-2020-12812)

Fortinet has reported active exploitation of a five-year-old vulnerability (CVE-2020-12812) in FortiOS SSL VPN, which allows attackers to bypass two-factor authentication (2FA) under specific configurations. The flaw, affecting certain setups with local and remote authentication methods, has been observed in the wild by multiple threat actors, including state-backed hackers. Fortinet has issued an advisory detailing the prerequisites for exploitation and recommended mitigations. The FBI and CISA have also warned about the exploitation of this vulnerability in ransomware attacks.

Open in new tab

Critical RCE flaw in HPE OneView software actively exploited

Hewlett Packard Enterprise (HPE) has patched a maximum-severity remote code execution (RCE) vulnerability (CVE-2025-37164) in its OneView software, which has a CVSS score of 10.0. The flaw affects all versions before v11.00 and can be exploited by unauthenticated attackers in low-complexity attacks. The vulnerability was reported by Vietnamese security researcher Nguyen Quoc Khanh (brocked200). HPE advises immediate patching as there are no workarounds or mitigations available. HPE has not confirmed whether the vulnerability has been exploited in attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged the flaw as actively exploited in attacks and has given Federal Civilian Executive Branch (FCEB) agencies three weeks to secure their systems by January 28th. CISA encourages all organizations, including private sector, to patch their devices against this actively exploited flaw as soon as possible. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a centralized dashboard interface. The hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations. Separate hotfixes are available for the OneView virtual appliance and Synergy Composer2.

Open in new tab

Critical FortiCloud SSO Authentication Bypass Vulnerabilities Patched

Fortinet has released updates to address two critical vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that allow attackers to bypass FortiCloud SSO authentication via maliciously crafted SAML messages. The vulnerabilities stem from improper verification of cryptographic signatures. The FortiCloud SSO login feature is not enabled by default but is activated upon FortiCare registration unless explicitly disabled by the administrator. Threat actors have begun exploiting these vulnerabilities in active attacks on FortiGate devices, using IP addresses associated with hosting providers to carry out malicious SSO logins and export device configurations. Attackers targeted admin accounts, accessed the web management interface, and downloaded system configuration files, which can expose network layouts, internet-facing services, firewall policies, potentially vulnerable interfaces, routing tables, and hashed passwords. Over 25,000 Fortinet devices with FortiCloud SSO enabled are exposed online, with more than 5,400 in the United States and nearly 2,000 in India. Organizations are advised to apply patches immediately, disable FortiCloud SSO until updates are applied, and limit access to management interfaces. CISA has added the FortiCloud SSO auth bypass flaw to its catalog of actively exploited vulnerabilities, ordering U.S. government agencies to patch within a week by December 23rd.

Open in new tab

ArrayOS AG VPN Flaw Exploited to Deploy Webshells

Threat actors are exploiting a command injection vulnerability in Array AG Series VPN devices to plant webshells and create rogue users. The flaw, which affects ArrayOS AG 9.4.5.8 and earlier versions, was patched in May but lacks a CVE identifier. Attacks have been observed since at least August, targeting organizations in Japan. The vulnerability is linked to the 'DesktopDirect' remote access feature, and workarounds are available for those unable to update. The attacks have originated from the IP address 194.233.100[.]138. An authentication bypass flaw in the same product (CVE-2023-28461, 9.8) was exploited last year by a China-linked cyber espionage group dubbed MirrorFace, which has a history of targeting Japanese organizations since at least 2019.

Open in new tab