- Fortinet patched a critical OS command injection in FortiSIEM (CVE-2025-64155, CVSS 9.4) that can be exploited without authentication.
- The flaw targets the phMonitor service on TCP port 7900 and enables arbitrary file writes as the admin user, then escalation to root via a cron-executed file.
- Researcher Zach Hanley of Horizon3.ai detailed a two-stage exploit: argument injection to write files and a file-overwrite escalation to root.
- Fortinet also released fixes for a separate critical FortiFone issue (CVE-2025-47855, CVSS 9.3); users should apply updates and restrict access to port 7900 as a workaround.
On Jan 14, 2026, Fortinet published updates to fix a critical vulnerability in FortiSIEM that could allow unauthenticated attackers to execute code on vulnerable appliances, affecting Super and Worker nodes, and rated 9.4. The company detailed the issue and available fixes in its security bulletin (see Fortinet bulletin).
"An improper neutralization of special elements used in an OS command (‘OS command injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests," the company stated in that bulletin.
Security researcher Zach Hanley of Horizon3.ai reported the flaw and described it as two moving parts: an unauthenticated argument-injection that permits arbitrary file writes as the admin user, and a subsequent file overwrite that escalates privileges to root, fully compromising the appliance (see Horizon3.ai disclosure).
The vulnerability stems from how FortiSIEM‘s phMonitor service handles TCP requests on port 7900, invoking a shell script with user-controlled parameters and enabling argument injection via curl. Fortinet documentation describes phMonitor as responsible for health monitoring, task distribution, and inter-node communication (see documentation).
An attacker can write a reverse shell to "/opt/charting/redishb.sh" as the admin user; that file is executed every minute by a cron job running as root, enabling full system takeover if reachable via port 7900. Fortinet listed fixed and unaffected FortiSIEM releases and advised customers to migrate or upgrade to the patched versions in its bulletin.
Fortinet also issued patches for a critical FortiFone vulnerability (CVE-2025-47855, CVSS 9.3) that could expose device configuration via crafted HTTP(S) requests (details and fixes listed in Fortinet bulletin). Users are advised to update affected systems and, as a temporary mitigation for CVE-2025-64155, limit network access to port 7900.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
