Critical Fortinet FortiSIEM Flaw Exploited in the Wild

First reported

19.01.2026 15:17

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A critical vulnerability in Fortinet FortiSIEM (CVE-2025-64155, CVSS 9.4) is under active exploitation. The flaw allows unauthenticated attackers to execute arbitrary code or commands via crafted TCP requests. The vulnerability comprises two issues: an unauthenticated argument injection leading to arbitrary file write and remote code execution as the admin user, and a file overwrite privilege escalation leading to root access. The affected phMonitor service is deeply embedded in FortiSIEM's operational workflow, making successful exploitation grant full control of the appliance. This vulnerability poses a significant risk to organizations using FortiSIEM, as it can lead to complete compromise of the appliance. Fortinet users are advised to apply patches and monitor their systems for any signs of exploitation.

Timeline

19.01.2026 15:17 1 articles · 23h ago

Critical Fortinet FortiSIEM Flaw Exploited in the Wild
A critical vulnerability in Fortinet FortiSIEM (CVE-2025-64155, CVSS 9.4) is under active exploitation. The flaw allows unauthenticated attackers to execute arbitrary code or commands via crafted TCP requests. The vulnerability comprises two issues: an unauthenticated argument injection leading to arbitrary file write and remote code execution as the admin user, and a file overwrite privilege escalation leading to root access. The affected phMonitor service is deeply embedded in FortiSIEM's operational workflow, making successful exploitation grant full control of the appliance. This vulnerability poses a significant risk to organizations using FortiSIEM, as it can lead to complete compromise of the appliance. Fortinet users are advised to apply patches and monitor their systems for any signs of exploitation.
Show sources

⚡ Weekly Recap: Fortinet Exploits, RedLine Clipjack, NTLM Crack, Copilot Attack & More — thehackernews.com — 19.01.2026 15:17
Open in new tab

Information Snippets

The vulnerability, tracked as CVE-2025-64155, has a CVSS score of 9.4, indicating a critical severity level.
First reported: 19.01.2026 15:17

1 source, 1 article
Show sources
- ⚡ Weekly Recap: Fortinet Exploits, RedLine Clipjack, NTLM Crack, Copilot Attack & More — thehackernews.com — 19.01.2026 15:17
The flaw allows unauthenticated attackers to execute arbitrary code or commands via crafted TCP requests.
First reported: 19.01.2026 15:17

1 source, 1 article
Show sources
- ⚡ Weekly Recap: Fortinet Exploits, RedLine Clipjack, NTLM Crack, Copilot Attack & More — thehackernews.com — 19.01.2026 15:17
The vulnerability comprises two issues: an unauthenticated argument injection leading to arbitrary file write and remote code execution as the admin user, and a file overwrite privilege escalation leading to root access.
First reported: 19.01.2026 15:17

1 source, 1 article
Show sources
- ⚡ Weekly Recap: Fortinet Exploits, RedLine Clipjack, NTLM Crack, Copilot Attack & More — thehackernews.com — 19.01.2026 15:17
The affected phMonitor service is deeply embedded in FortiSIEM's operational workflow, making successful exploitation grant full control of the appliance.
First reported: 19.01.2026 15:17

1 source, 1 article
Show sources
- ⚡ Weekly Recap: Fortinet Exploits, RedLine Clipjack, NTLM Crack, Copilot Attack & More — thehackernews.com — 19.01.2026 15:17