Fortinet Fixes Critical FortiSIEM & FortiFone Vulnerabilities

January 14, 2026 Faeem BLOGS 0

Fortinet has released urgent patches for two critical flaws impacting its enterprise products, including FortiSIEM and FortiFone, both of which could be exploited by unauthenticated attackers.

CVE-2025-64155 – FortiSIEM OS Command Injection

  • Severity: CVSS 9.4 (Critical).
  • Impact: Allows unauthenticated remote code execution (RCE).
  • Affected components: Super and Worker nodes only.
  • Root cause: Improper neutralization of OS command elements in the phMonitor service (TCP port 7900).
  • Attack chain:
    1. Argument injection vulnerability → arbitrary file write as admin.
    2. File overwrite privilege escalation → root access.
    3. Reverse shell can be written to /opt/charting/redishb.sh, executed every minute via cron with root privileges.
  • Risk: Full system takeover without authentication, simply by gaining network access to port 7900.

Patched Versions:

  • FortiSIEM 6.7.0–6.7.10 → migrate to fixed release.
  • FortiSIEM 7.0.0–7.0.4 → migrate to fixed release.
  • FortiSIEM 7.1.0–7.1.8 → upgrade to 7.1.9+.
  • FortiSIEM 7.2.0–7.2.6 → upgrade to 7.2.7+.
  • FortiSIEM 7.3.0–7.3.4 → upgrade to 7.3.5+.
  • FortiSIEM 7.4.0 → upgrade to 7.4.1+.
  • FortiSIEM 7.5 & FortiSIEM Cloud → not affected.

Workaround: Restrict access to phMonitor port 7900 until patched.

CVE-2025-47855 – FortiFone Web Portal Flaw

  • Severity: CVSS 9.3 (Critical).
  • Impact: Unauthenticated attacker can obtain device configuration via crafted HTTP(S) requests.
  • Affected versions:
    • FortiFone 3.0.13–3.0.23 → upgrade to 3.0.24+.
    • FortiFone 7.0.0–7.0.1 → upgrade to 7.0.2+.
    • FortiFone 7.2 → not affected.

Security Research

  • Discovery: Horizon3.ai researcher Zach Hanley reported CVE-2025-64155 on August 14, 2025.
  • Analysis: Attack relies on phMonitor’s unauthenticated command handlers, making exploitation straightforward once network access is obtained.

Recommendations

  • Immediate patching: Upgrade FortiSIEM and FortiFone to fixed versions.
  • Network hardening: Restrict access to sensitive ports (e.g., 7900).
  • Monitoring: Watch for suspicious cron activity or reverse shell attempts.
  • Defense-in-depth: Apply segmentation and least-privilege principles to limit exposure.

Takeaway

These vulnerabilities highlight the high-risk nature of unauthenticated flaws in enterprise monitoring and communication systems. With exploitation requiring only network access, organizations should patch immediately and enforce strict access controls to prevent compromise.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.