Fortinet FortiSIEM CVE-2025-64155: Critical Vulnerability Exploited in the Wild
Executive Summary
In June 2025, Fortinet disclosed CVE-2025-64155, a critical command injection vulnerability affecting FortiSIEM, its security information and event management solution. Attackers began exploiting the flaw almost immediately after disclosure, leveraging it to execute unauthorized system commands and gain persistent access across multiple targeted networks. Malicious activity was detected from a diverse array of IP addresses, suggesting widespread probing and potential compromise. The rapid weaponization of the vulnerability placed organizations relying on FortiSIEM at risk of data exfiltration, lateral movement, and potential service disruption, underscoring the importance of timely patch management and layered defenses.
This incident is emblematic of a growing trend where attackers aggressively target newly disclosed vulnerabilities in widely used security platforms. The event highlights the urgent need for rapid vulnerability response processes and reevaluation of vendor risk in security-critical infrastructure, as threat actors continue to automate exploitation of critical flaws in security tooling itself.
Why This Matters Now
With critical infrastructure and enterprise environments dependent on SIEMs for security oversight, the exploitation of FortiSIEM’s CVE-2025-64155 demonstrates how attackers can quickly weaponize public vulnerabilities. This urgency is compounded by automated scanning, emphasizing the need for real-time threat detection, swift patching, and zero trust segmentation to contain breaches.
Attack Path Analysis
The attacker exploited the critical CVE-2025-64155 command injection flaw in FortiSIEM to gain an initial foothold in the cloud environment. Leveraging this access, the adversary likely escalated privileges to gain broader control. The attacker then moved laterally across internal services and regions, seeking additional targets or valuable assets. Command and control was established through outbound channels to coordinate activities and deliver further payloads. Sensitive data may have been exfiltrated via encrypted or covert channels. Finally, the attacker could have disrupted operations or deployed additional malicious actions, impacting system availability or compromising integrity.
Kill Chain Progression
Initial Compromise
Description
Exploited CVE-2025-64155 command injection flaw in public-facing FortiSIEM to gain initial access.
Related CVEs
CVE-2025-64155
CVSS 9.4An OS command injection vulnerability in Fortinet FortiSIEM allows unauthenticated remote attackers to execute arbitrary code via crafted TCP requests.
Affected Products:
Fortinet FortiSIEM – 7.4.0, 7.3.0 through 7.3.4, 7.2.0 through 7.2.6, 7.1.0 through 7.1.8, 7.0.0 through 7.0.4, 6.7.0 through 6.7.10
Exploit Status:
exploited in the wildReferences:
https://nvd.nist.gov/vuln/detail/CVE-2025-64155https://fortiguard.fortinet.com/psirt/FG-IR-25-772https://www.securityweek.com/fortinet-patches-critical-vulnerabilities-in-fortifone-fortisiem/https://www.bleepingcomputer.com/news/security/exploit-code-public-for-critical-fortisiem-command-injection-flaw/CVE-2025-25256
CVSS 9.8An OS command injection vulnerability in Fortinet FortiSIEM allows unauthenticated remote attackers to execute arbitrary code via crafted CLI requests.
Affected Products:
Fortinet FortiSIEM – 7.3.0 through 7.3.1, 7.2.0 through 7.2.5, 7.1.0 through 7.1.7, 7.0.0 through 7.0.3, 6.7.0 through 6.7.9, 6.6.0 through 6.6.3, 6.5.0 through 6.5.2, 6.4.0 through 6.4.3
Exploit Status:
exploited in the wildCVE-2024-23108
CVSS 10An OS command injection vulnerability in Fortinet FortiSIEM supervisor allows unauthenticated remote attackers to execute unauthorized commands via crafted API requests.
Affected Products:
Fortinet FortiSIEM – 7.1.0 through 7.1.1, 7.0.0 through 7.0.2, 6.7.0 through 6.7.8, 6.6.0 through 6.6.3, 6.5.0 through 6.5.2, 6.4.0 through 6.4.2
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Exploitation for Privilege Escalation
Exploitation for Defense Evasion
Valid Accounts
OS Credential Dumping
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 10(2)
CISA ZTMM 2.0 – Continuous Vulnerability Assessment
Control ID: Detect: Asset Management
NIS2 Directive – Security of Network and Information Systems
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
FortiSIEM command injection vulnerability CVE-2025-64155 threatens financial SIEM systems, compromising fraud detection, transaction monitoring, and regulatory compliance capabilities under active exploitation.
Health Care / Life Sciences
Critical FortiSIEM flaw enables attackers to inject commands into healthcare security monitoring systems, potentially exposing patient data and disrupting HIPAA compliance infrastructure.
Government Administration
Government agencies using FortiSIEM face severe risk from CVE-2025-64155 exploitation, threatening national security monitoring capabilities and sensitive administrative system visibility.
Information Technology/IT
IT service providers leveraging FortiSIEM for client security monitoring face immediate risk from command injection attacks, potentially compromising managed security service delivery.
Sources
- More Problems for Fortinet: Critical FortiSIEM Flaw Exploitedhttps://www.darkreading.com/vulnerabilities-threats/fortinet-critical-fortisiem-flaw-exploitedVerified
- Fortinet Patches Critical Vulnerabilities in FortiFone, FortiSIEMhttps://www.securityweek.com/fortinet-patches-critical-vulnerabilities-in-fortifone-fortisiem/Verified
- Exploit code public for critical FortiSIEM command injection flawhttps://www.bleepingcomputer.com/news/security/exploit-code-public-for-critical-fortisiem-command-injection-flaw/Verified
- Fortinet Products Are in the Crosshairs Againhttps://www.darkreading.com/cyberattacks-data-breaches/fortinet-products-in-crosshairs-againVerified
- PSIRT | FortiGuard Labshttps://fortiguard.fortinet.com/psirt/FG-IR-25-772Verified
- PSIRT | FortiGuard Labshttps://fortiguard.fortinet.com/psirt/FG-IR-25-152Verified
- PSIRT | FortiGuard Labshttps://fortiguard.fortinet.com/psirt/FG-IR-23-130Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic security, strict egress enforcement, and real-time threat detection would have greatly limited the attacker’s ability to progress beyond initial compromise, detect malicious activity, and prevent lateral movement or data exfiltration. Distributed CNSF controls specifically aligned to microsegmentation, inline inspection, and egress policy could have disrupted or contained each phase of the kill chain.
Control: Cloud Firewall (ACF)
Mitigation: Inline firewall controls would restrict access to public-facing management interfaces.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation and least-privilege policies reduce blast radius of compromised accounts.
Control: East-West Traffic Security
Mitigation: East-west inspection and policy segmentation block unauthorized service-to-service traversal.
Control: Inline IPS (Suricata)
Mitigation: Detects and blocks known malicious C2 patterns and protocol anomalies.
Control: Egress Security & Policy Enforcement
Mitigation: Egress controls prevent unauthorized outbound data transfers.
Anomalous or destructive behaviors trigger alerts and rapid response.
Impact at a Glance
Affected Business Functions
- Security Monitoring
- Incident Response
- Compliance Reporting
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive security logs and incident data, leading to compromised security postures and regulatory non-compliance.
Recommended Actions
Key Takeaways & Next Steps
- • Implement identity-based zero trust segmentation to reduce the blast radius of future exploits.
- • Enforce strict perimeter and egress policies using distributed cloud firewalls to protect exposed management interfaces.
- • Enable continuous east-west inspection and microsegmentation to block unauthorized internal movement.
- • Deploy inline IPS and anomaly detection to rapidly identify command-and-control and exploit signatures.
- • Regularly audit privileged accounts and automate incident response to limit attack dwell time and impact.
