CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

FortiSIEM OS Command Injection Vulnerability Exploited in the Wild

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

Fortinet has disclosed a critical OS command injection vulnerability (CVE-2025-25256) in FortiSIEM, with a CVSS score of 9.8. The flaw allows unauthenticated attackers to execute unauthorized code via crafted CLI requests. Exploit code for this vulnerability is actively being used in the wild. Affected versions include FortiSIEM 5.4 through 7.3.1, with specific upgrade paths recommended for mitigation. The vulnerability is linked to the phMonitor process, which listens on port 7900. It stems from inadequate sanitization of user inputs, allowing command injection through specially crafted XML payloads. Fortinet advises limiting access to port 7900 as a workaround. The disclosure follows a spike in brute-force traffic targeting Fortinet SSL VPN devices and FortiManager, with probes originating from multiple countries. Previous surges in similar activity were strongly correlated with vulnerability disclosures within six weeks.

Timeline

  1. 14.08.2025 00:15 πŸ“° 1 articles

    Shift in Attacker Behavior and Potential Future Disclosures

    A significant spike in brute-force traffic directed against Fortinet SSL VPNs and FortiManager, emanating from as many as 780 unique IP addresses. The attacks targeted FortiOS and FortiManager in two distinct waves, indicating a shift in attacker behavior. Previous surges in similar activity targeting Fortinet products were strongly correlated with vulnerability disclosures within six weeks. 80% of observed instances of similar traffic spikes were followed by a CVE disclosure.

    Show sources
    Open in new tab
  2. 13.08.2025 14:37 πŸ“° 2 articles

    FortiSIEM OS Command Injection Vulnerability Exploited in the Wild

    Fortinet disclosed a critical OS command injection vulnerability (CVE-2025-25256) in FortiSIEM, with a CVSS score of 9.8. The flaw allows unauthenticated attackers to execute unauthorized code via crafted CLI requests. Exploit code for this vulnerability is actively being used in the wild. The vulnerability is linked to the phMonitor process, which listens on port 7900. It stems from inadequate sanitization of user inputs, allowing command injection through specially crafted XML payloads. Fortinet advises limiting access to port 7900 as a workaround. The disclosure follows a spike in brute-force traffic targeting Fortinet SSL VPN devices and FortiManager, with probes originating from multiple countries. Previous surges in similar activity were strongly correlated with vulnerability disclosures within six weeks. The flaw does not generate any distinctive indicators of compromise when exploited, making device compromise harder to detect. The affected versions now include FortiSIEM 5.4 through 7.3.1.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

CVE-2025-5086 in DELMIA Apriso Exploited in the Wild

A critical deserialization vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software is being actively exploited. The flaw, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. The vulnerability allows for remote code execution, and exploitation attempts have been observed originating from an IP address in Mexico. The attacks involve sending a malicious HTTP request with a Base64-encoded payload. The payload decodes to a Windows executable identified as "Trojan.MSIL.Zapchast.gen," a spyware capable of capturing user activities and sending collected information to attackers. DELMIA Apriso is used in production processes for digitalizing and monitoring, including scheduling production, quality management, resource allocation, warehouse management, and integration between production equipment and business applications. The flaw impacts critical industries such as automotive, aerospace, electronics, high-tech, and industrial machinery. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog and is advising federal agencies to apply necessary updates by October 2, 2025.

Open in new tab

Remote Code Execution Vulnerability in Samsung's libimagecodec.quram.so Library Exploited in the Wild

A remote code execution vulnerability in Samsung's libimagecodec.quram.so library, tracked as CVE-2025-21043, was actively exploited in zero-day attacks targeting Samsung Android devices running Android 13, 14, 15, or 16. The flaw, reported by Meta and WhatsApp, allows attackers to execute arbitrary code remotely due to an out-of-bounds write weakness. The CVSS score for the vulnerability is 8.8. Samsung has released a patch for the vulnerability in the September 2025 Security Maintenance Release (SMR). The exploit may affect other instant messengers using the vulnerable library. Users are advised to update their devices to the latest security patch.

Open in new tab

Akira Ransomware Exploits SonicWall SSL VPN Flaws and Misconfigurations

The Akira ransomware group has been actively exploiting vulnerabilities and misconfigurations in SonicWall SSL VPN devices to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting organizations globally, including those in Australia. The attacks leverage a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings to bypass access controls and facilitate ransomware deployment. The threat actors use a combination of brute-forcing credentials, exploiting default configurations, and leveraging the Virtual Office Portal to configure multi-factor authentication (MFA) with valid accounts. These tactics allow them to bypass security measures and gain unauthorized access to networks. SonicWall has confirmed that recent SSLVPN activity is related to CVE-2024-40766, not a zero-day vulnerability. The affected firewall versions include specific models of Gen 5, Gen 6, and Gen 7 devices. Organizations are advised to update to firmware version 7.3.0 or later, rotate passwords, enforce MFA, mitigate the SSLVPN Default Groups risk, and restrict Virtual Office Portal access to trusted/internal networks to mitigate risks.

Open in new tab

Cursor AI editor autoruns malicious code in repositories

A flaw in the Cursor AI editor allows malicious code in repositories to autorun on developer devices. This vulnerability can lead to malware execution, environment hijacking, and credential theft. The issue arises from Cursor disabling the Workspace Trust feature from VS Code, which prevents automatic task execution without explicit user consent. The flaw affects one million users who generate over a billion lines of code daily. The Cursor team has decided not to fix the issue, citing the need to maintain AI and other features. They recommend users enable Workspace Trust manually or use basic text editors for unknown projects. The flaw is part of a broader trend of prompt injections and jailbreaks affecting AI-powered coding tools.

Open in new tab

Critical SessionReaper vulnerability patched in Adobe Commerce and Magento Open Source

Adobe has patched a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms, dubbed SessionReaper. This flaw, with a CVSS score of 9.1, could allow unauthenticated attackers to take control of customer accounts via the Commerce REST API. The patch was released on September 9, 2025, following an emergency notification to selected customers on September 4, 2025. Adobe Commerce on Cloud customers were already protected by a WAF rule deployed as an interim measure. The vulnerability is considered one of the most severe in the platform's history, with potential for widespread exploitation. Administrators are advised to apply the patch immediately, as it disables certain internal Magento functionalities that may affect custom or external code. The affected versions include Adobe Commerce 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, 2.4.5-p14 and earlier, and 2.4.4-p15 and earlier. The affected versions also include Adobe Commerce B2B 1.5.3-alpha2 and earlier, 1.5.2-p2 and earlier, 1.4.2-p7 and earlier, 1.3.4-p14 and earlier, and 1.3.3-p15 and earlier. The affected versions include Magento Open Source 2.4.9-alpha2 and earlier, 2.4.8-p2 and earlier, 2.4.7-p7 and earlier, 2.4.6-p12 and earlier, and 2.4.5-p14 and earlier. The Custom Attributes Serializable module versions 0.1.0 to 0.4.0 are also affected.

Open in new tab