Overview
- Fortinet issued fixes for CVE-2025-64155 in FortiSIEM (CVSS 9.4), an unauthenticated OS command-injection bug that enables remote code execution.
- A separate FortiFone flaw, CVE-2025-47855 (CVSS 9.3), allows unauthenticated retrieval of device configuration via crafted HTTP(S) requests.
- FortiSIEM exposure is limited to Super and Worker nodes; FortiSIEM 7.5 and FortiSIEM Cloud are not affected, and Collector nodes are not impacted.
- Horizon3.ai detailed an attack path through unauthenticated handlers in the phMonitor service on TCP/7900 that leads from arbitrary file write to root via a cron-executed script.
- Public exploit code and technical details are now available from researchers, though reports do not confirm active exploitation in the wild.