Fortinet has issued patches for a critical OS command injection vulnerability in FortiSIEM, CVE-2025-25256, after exploit code appeared in the wild. Fortinet’s security advisory FG-IR-25-152 provides details and lists affected versions.
The vulnerability stems from improper neutralization of special elements, which could allow unauthenticated attackers to execute arbitrary commands via crafted CLI requests. No user interaction is required. FortiSIEM versions affected include 7.3.0–7.3.1, 7.2.0–7.2.5, 7.1.0–7.1.7, 7.0.0–7.0.3 and 6.7.0–6.7.9, with older branches 6.6, 6.5, 6.4, 6.3, 6.2, 6.1 and 5.4 also impacted.
To mitigate, Fortinet recommends upgrading to fixed releases: FortiSIEM 7.4 (the 7.4.0 release went live in late July 2025), 7.3.2 or newer, 7.2.6 or newer, 7.1.8 or newer, 7.0.4 or newer, or 6.7.10 or newer. Details are in the Fortinet advisory and release notes: Fortinet PSIRT advisory FG-IR-25-152 and FortiSIEM 7.4 release notes.
Fortinet also notes that if rapid upgrading is not feasible, access to the phMonitor port (TCP 7900) should be restricted to trusted internal hosts, as this port supports the phMonitor service used by FortiSIEM components to communicate and perform discovery and synchronization tasks.
Officials did not provide details on where exploit code originated or whether attackers have leveraged it in the wild. The vendor cited historical PoCs related to FortiSIEM but cautioned that there are no confirmed in-the-wild instances tied to CVE-2025-25256. The exploit code reportedly does not generate distinctive indicators of compromise, complicating detection.