Overview
- Security researchers report active, targeted exploitation of the FortiSIEM vulnerability CVE-2025-64155 shortly after proof-of-concept code was published, though Fortinet has not yet marked it as exploited.
- The bug allows unauthenticated remote code execution via phMonitor command handlers on TCP port 7900, enabling arbitrary file writes that escalate to root by overwriting the cron-executed /opt/charting/redishb.sh.
- Fortinet released fixes for supported branches, instructing customers to upgrade to 7.4.1+, 7.3.5+, 7.2.7+, or 7.1.9+, while advising users on 7.0.x and 6.7.x to migrate to a supported release.
- FortiSIEM 7.5 and FortiSIEM Cloud are not impacted, and only Supervisor and Worker nodes are affected, with Collector nodes unaffected.
- As an immediate mitigation, Fortinet recommends limiting network access to phMonitor on port 7900, and Horizon3.ai provides indicators of compromise in phMonitor logs at /opt/phoenix/log/phoenix.logs where PHL_ERROR lines can reveal payload URLs and file paths.