FortiSIEM phMonitor port 7900 restriction advisory
Advisory/Mitigation
Summary
Hide ▲
Show ▼
Fortinet issued mitigation guidance for FortiSIEM after disclosing CVE-2025-25256, a critical command-injection flaw with in-the-wild exploit code. The company told customers to limit access to phMonitor port 7900 while they move affected systems to fixed releases. The advisory matters because an unauthenticated attacker could use the flaw to run unauthorized code or commands on exposed systems.
Related Happenings
Fortinet FortiClient EMS emergency patch release (CVE-2026-35616, CVE-2026-21643)
Security Patch Release
H score59
First: 07.04.2026 12:26
Last: 07.04.2026 12:26
Sources 1
About this happening:
**Fortinet FortiClient EMS** is a **security-patch release** happening centered on **CVE-2026-35616** and **CVE-2026-21643**. Fortinet issued an **out-of-band emergency hotfix** a...
Fortinet FortiClient EMS emergency patch release (CVE-2026-35616, CVE-2026-21643)
Security Patch ReleaseAbout this happening: **Fortinet FortiClient EMS** is a **security-patch release** happening centered on **CVE-2026-35616** and **CVE-2026-21643**. Fortinet issued an **out-of-band emergency hotfix** a...
Latest development: 28.05.2026 18:26
Arctic Wolf observed threat actors abusing FortiClient Endpoint Management Server (EMS) and CVE-2026-35616 in May 2026 to modify EMS-managed configuration, disguise FortiEndpoint_Patch.exe as a Fortinet endpoint update, and use fortitray.exe, cmd.exe, and a Base64-encoded PowerShell chain to download malware and exfiltrate browser data to 83.138.53[.]110.
FortiClient EMS improper access control flaw (CVE-2026-35616)
Vulnerability
H score52
First: 05.04.2026 21:45
Last: 05.04.2026 21:45
Sources 1
About this happening:
**CVE-2026-35616** is an **actively exploited** improper access control flaw in **FortiClient Enterprise Management Server (EMS)** that lets unauthenticated attackers execute code...
FortiClient EMS improper access control flaw (CVE-2026-35616)
VulnerabilityAbout this happening: **CVE-2026-35616** is an **actively exploited** improper access control flaw in **FortiClient Enterprise Management Server (EMS)** that lets unauthenticated attackers execute code...
Latest development: 28.05.2026 18:26
Attackers were already abusing **CVE-2026-35616** against **FortiClient EMS** in **May 2026**. The flaw provided **pre-auth API access bypass** and **privilege escalation** before remediation in **7.4.7 and later**.
Fortinet CVE-2025-59718 mitigation guidance
Advisory/Mitigation
H score59
First: 23.01.2026 12:39
Last: 23.01.2026 12:39
Sources 1
About this happening:
**Fortinet** told customers to immediately harden **FortiCloud SSO** exposure for **CVE-2025-59718**, because attackers are still abusing the flaw against **fully patched firewall...
Fortinet CVE-2025-59718 mitigation guidance
Advisory/MitigationAbout this happening: **Fortinet** told customers to immediately harden **FortiCloud SSO** exposure for **CVE-2025-59718**, because attackers are still abusing the flaw against **fully patched firewall...
FortiGate SSL VPN active 2FA bypass (CVE-2020-12812)
Vulnerability
H score64
First: 02.01.2026 18:01
Last: 02.01.2026 18:01
Sources 1
About this happening:
**Fortinet** says **CVE-2020-12812** is still being **actively exploited**, leaving **over 10,000 Fortinet firewalls** exposed to a **2FA bypass** risk. The weakness affects **For...
FortiGate SSL VPN active 2FA bypass (CVE-2020-12812)
VulnerabilityAbout this happening: **Fortinet** says **CVE-2020-12812** is still being **actively exploited**, leaving **over 10,000 Fortinet firewalls** exposed to a **2FA bypass** risk. The weakness affects **For...
FortiGate firewalls CVE-2020-12812 active exploitation wave
Exploitation Wave
H score37
First: 29.12.2025 13:16
Last: 29.12.2025 13:16
Sources 1
About this happening:
**FortiGate firewalls** with **LDAP-enabled** authentication paths are facing an **active exploitation wave** tied to **CVE-2020-12812**, a **2FA-bypass** flaw in **FortiOS**. Att...
FortiGate firewalls CVE-2020-12812 active exploitation wave
Exploitation WaveAbout this happening: **FortiGate firewalls** with **LDAP-enabled** authentication paths are facing an **active exploitation wave** tied to **CVE-2020-12812**, a **2FA-bypass** flaw in **FortiOS**. Att...
Timeline
-
18.08.2025 03:00 1 articles · 9mo ago
watchTowr Labs explains the phMonitor command-injection path
Technical Analysis UpdatewatchTowr Labs described phMonitor as a C++ binary that monitors FortiSIEM processes over port 7900 using a custom RPC protocol wrapped in TLS, and said the flaw resides in phMonitorProcess::handleStorageArchiveRequest where inadequate input sanitization and addParaSafe's weak quote escaping can let an attacker send a crafted XML payload to run arbitrary shell commands on the underlying operating system.
Show sources
- Fortinet Warns About FortiSIEM Vulnerability (CVE-2025-25256) With In-the-Wild Exploit Code — thehackernews.com — 13.08.2025 14:37
-
13.08.2025 14:37 1 articles · 10mo ago
Fortinet discloses CVE-2025-25256 and advises restricting phMonitor
Initial DisclosureFortinet warned that CVE-2025-25256 is a critical FortiSIEM OS command injection flaw with CVSS 9.8, said practical exploit code was found in the wild, listed FortiSIEM 6.1-6.6, 6.7.0 through 6.7.9, 7.0.0 through 7.0.3, 7.1.0 through 7.1.7, 7.2.0 through 7.2.5, and 7.3.0 through 7.3.1 as impacted, noted that FortiSIEM 7.4 is not affected, and advised organizations to limit access to phMonitor port 7900 while moving systems to fixed releases.
Show sources
- Fortinet Warns About FortiSIEM Vulnerability (CVE-2025-25256) With In-the-Wild Exploit Code — thehackernews.com — 13.08.2025 14:37