Could this breach have been prevented?

Prompt vulnerability identification, rapid patch deployment, and layered zero trust segmentation would have significantly reduced exposure and the potential impact of exploitation.

What should organizations do in response to this incident?

Organizations should immediately apply available FortiSIEM patches, audit for compromise, enhance incident detection, and revisit segmentation and privileged access controls.

This entry was generated by Aviatrix’s agentic AI workflow using verified public sources. It has not been reviewed or confirmed by human analysts. This content is provided for research and awareness only and should not be used as the sole basis for security, operational, or policy decisions. The entry may be updated as verification progresses or new information emerges. Aviatrix disclaims all liability for any and all damages resulting from decisions based on this entry.

Fortinet FortiSIEM CVE-2025-64155: Critical Vulnerability Exploited in the Wild

A critical command injection flaw in Fortinet's FortiSIEM was rapidly exploited by attackers, underscoring urgent needs for vulnerability management, zero trust segmentation, and detection capabilities.

Published: January 17, 2026

Share this on:

Executive Summary

In June 2025, Fortinet disclosed CVE-2025-64155, a critical command injection vulnerability affecting FortiSIEM, its security information and event management solution. Attackers began exploiting the flaw almost immediately after disclosure, leveraging it to execute unauthorized system commands and gain persistent access across multiple targeted networks. Malicious activity was detected from a diverse array of IP addresses, suggesting widespread probing and potential compromise. The rapid weaponization of the vulnerability placed organizations relying on FortiSIEM at risk of data exfiltration, lateral movement, and potential service disruption, underscoring the importance of timely patch management and layered defenses.

This incident is emblematic of a growing trend where attackers aggressively target newly disclosed vulnerabilities in widely used security platforms. The event highlights the urgent need for rapid vulnerability response processes and reevaluation of vendor risk in security-critical infrastructure, as threat actors continue to automate exploitation of critical flaws in security tooling itself.

Why This Matters Now

With critical infrastructure and enterprise environments dependent on SIEMs for security oversight, the exploitation of FortiSIEM’s CVE-2025-64155 demonstrates how attackers can quickly weaponize public vulnerabilities. This urgency is compounded by automated scanning, emphasizing the need for real-time threat detection, swift patching, and zero trust segmentation to contain breaches.

Attack Path Analysis

The attacker exploited the critical CVE-2025-64155 command injection flaw in FortiSIEM to gain an initial foothold in the cloud environment. Leveraging this access, the adversary likely escalated privileges to gain broader control. The attacker then moved laterally across internal services and regions, seeking additional targets or valuable assets. Command and control was established through outbound channels to coordinate activities and deliver further payloads. Sensitive data may have been exfiltrated via encrypted or covert channels. Finally, the attacker could have disrupted operations or deployed additional malicious actions, impacting system availability or compromising integrity.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Mediuminferred

Impact

Lowinferred

Initial Compromise

Description

Exploited CVE-2025-64155 command injection flaw in public-facing FortiSIEM to gain initial access.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2025-64155
CVSS 9.4
An OS command injection vulnerability in Fortinet FortiSIEM allows unauthenticated remote attackers to execute arbitrary code via crafted TCP requests.
Affected Products:
Fortinet FortiSIEM – 7.4.0, 7.3.0 through 7.3.4, 7.2.0 through 7.2.6, 7.1.0 through 7.1.8, 7.0.0 through 7.0.4, 6.7.0 through 6.7.10
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-64155 https://fortiguard.fortinet.com/psirt/FG-IR-25-772 https://www.securityweek.com/fortinet-patches-critical-vulnerabilities-in-fortifone-fortisiem/https://www.bleepingcomputer.com/news/security/exploit-code-public-for-critical-fortisiem-command-injection-flaw/
CVE-2025-25256
CVSS 9.8
An OS command injection vulnerability in Fortinet FortiSIEM allows unauthenticated remote attackers to execute arbitrary code via crafted CLI requests.
Affected Products:
Fortinet FortiSIEM – 7.3.0 through 7.3.1, 7.2.0 through 7.2.5, 7.1.0 through 7.1.7, 7.0.0 through 7.0.3, 6.7.0 through 6.7.9, 6.6.0 through 6.6.3, 6.5.0 through 6.5.2, 6.4.0 through 6.4.3
Exploit Status:
exploited in the wild
References:
https://fortiguard.fortinet.com/psirt/FG-IR-25-152 https://www.darkreading.com/cyberattacks-data-breaches/fortinet-products-in-crosshairs-again https://www.bleepingcomputer.com/news/security/fortinet-warns-of-fortisiem-pre-auth-rce-flaw-with-exploit-in-the-wild/
CVE-2024-23108
CVSS 10
An OS command injection vulnerability in Fortinet FortiSIEM supervisor allows unauthenticated remote attackers to execute unauthorized commands via crafted API requests.
Affected Products:
Fortinet FortiSIEM – 7.1.0 through 7.1.1, 7.0.0 through 7.0.2, 6.7.0 through 6.7.8, 6.6.0 through 6.6.3, 6.5.0 through 6.5.2, 6.4.0 through 6.4.2
Exploit Status:
proof of concept
References:
https://fortiguard.fortinet.com/psirt/FG-IR-23-130 https://www.darkreading.com/vulnerabilities-threats/fortinet-fortisiem-hit-with-twin-max-severity-bugs https://www.bleepingcomputer.com/news/security/exploit-released-for-maximum-severity-fortinet-rce-bug-patch-now/

MITRE ATT&CK® Techniques

Techniques mapped for top-level SEO and incident filtering; further enrichment with STIX/TAXII data can expand this mapping.

Initial Access

T1190

Exploit Public-Facing Application

Execution

T1059

Command and Scripting Interpreter

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Defense Evasion

T1211

Exploitation for Defense Evasion

Persistence

T1078

Valid Accounts

Credential Access

T1003

OS Credential Dumping

Exfiltration

T1041

Exfiltration Over C2 Channel

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Security of System Components

Control ID: 6.2.4

The exploitation of an unpatched command injection vulnerability in FortiSIEM indicates a failure to apply critical security updates and manage vulnerabilities in system components exposed to public networks.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident demonstrates a lack of effective technical controls and processes required by a mature cybersecurity policy to detect and respond to exploitation of software vulnerabilities.

DORA (Digital Operational Resilience Act) – ICT Risk Management Framework

Control ID: Art. 10(2)

Failure to mitigate known vulnerabilities and ensure operational resilience exposed critical ICT assets to external compromise, contravening DORA's requirements for robust risk management.

CISA ZTMM 2.0 – Continuous Vulnerability Assessment

Control ID: Detect: Asset Management

Attackers exploited a command injection flaw, highlighting gaps in continuous detection, asset discovery, and vulnerability management central to Zero Trust best practices.

NIS2 Directive – Security of Network and Information Systems

Control ID: Art. 21(2)(d)

The incident reflects insufficient measures to address risks from network and information systems exposed to the Internet, as required under NIS2 obligations.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

FortiSIEM command injection vulnerability CVE-2025-64155 threatens financial SIEM systems, compromising fraud detection, transaction monitoring, and regulatory compliance capabilities under active exploitation.

Health Care / Life Sciences

Critical FortiSIEM flaw enables attackers to inject commands into healthcare security monitoring systems, potentially exposing patient data and disrupting HIPAA compliance infrastructure.

Government Administration

Government agencies using FortiSIEM face severe risk from CVE-2025-64155 exploitation, threatening national security monitoring capabilities and sensitive administrative system visibility.

Information Technology/IT

IT service providers leveraging FortiSIEM for client security monitoring face immediate risk from command injection attacks, potentially compromising managed security service delivery.

Sources

More Problems for Fortinet: Critical FortiSIEM Flaw Exploitedhttps://www.darkreading.com/vulnerabilities-threats/fortinet-critical-fortisiem-flaw-exploited
Verified

Fortinet Patches Critical Vulnerabilities in FortiFone, FortiSIEMhttps://www.securityweek.com/fortinet-patches-critical-vulnerabilities-in-fortifone-fortisiem/

Verified

Exploit code public for critical FortiSIEM command injection flawhttps://www.bleepingcomputer.com/news/security/exploit-code-public-for-critical-fortisiem-command-injection-flaw/

Verified

Fortinet Products Are in the Crosshairs Againhttps://www.darkreading.com/cyberattacks-data-breaches/fortinet-products-in-crosshairs-again

Verified

PSIRT | FortiGuard Labshttps://fortiguard.fortinet.com/psirt/FG-IR-25-772

Verified

PSIRT | FortiGuard Labshttps://fortiguard.fortinet.com/psirt/FG-IR-25-152

Verified

PSIRT | FortiGuard Labshttps://fortiguard.fortinet.com/psirt/FG-IR-23-130

Verified

Frequently Asked Questions

The incident highlighted weaknesses in timely patch management, east-west traffic monitoring, and anomaly response required by frameworks like NIST 800-53, PCI DSS, and HIPAA.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Zero Trust segmentation, east-west traffic security, strict egress enforcement, and real-time threat detection would have greatly limited the attacker’s ability to progress beyond initial compromise, detect malicious activity, and prevent lateral movement or data exfiltration. Distributed CNSF controls specifically aligned to microsegmentation, inline inspection, and egress policy could have disrupted or contained each phase of the kill chain.

Initial Compromise

Control: Cloud Firewall (ACF)

Mitigation: Inline firewall controls would restrict access to public-facing management interfaces.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Microsegmentation and least-privilege policies reduce blast radius of compromised accounts.

Lateral Movement

Control: East-West Traffic Security

Mitigation: East-west inspection and policy segmentation block unauthorized service-to-service traversal.

Command & Control

Control: Inline IPS (Suricata)

Mitigation: Detects and blocks known malicious C2 patterns and protocol anomalies.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Egress controls prevent unauthorized outbound data transfers.

Impact (Mitigations)

Anomalous or destructive behaviors trigger alerts and rapid response.

Impact at a Glance

Affected Business Functions

Security Monitoring
Incident Response
Compliance Reporting

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Potential exposure of sensitive security logs and incident data, leading to compromised security postures and regulatory non-compliance.

Recommended Actions

• Implement identity-based zero trust segmentation to reduce the blast radius of future exploits.
• Enforce strict perimeter and egress policies using distributed cloud firewalls to protect exposed management interfaces.
• Enable continuous east-west inspection and microsegmentation to block unauthorized internal movement.
• Deploy inline IPS and anomaly detection to rapidly identify command-and-control and exploit signatures.
• Regularly audit privileged accounts and automate incident response to limit attack dwell time and impact.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Get a Free Workload Attack Path Assessment Under Active Attack?

Fortinet FortiSIEM CVE-2025-64155: Critical Vulnerability Exploited in the Wild

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2025-64155

Affected Products:

Exploit Status:

References:

CVE-2025-25256

Affected Products:

Exploit Status:

References:

CVE-2024-23108

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Command and Scripting Interpreter

Exploitation for Privilege Escalation

Exploitation for Defense Evasion

Valid Accounts

OS Credential Dumping

Exfiltration Over C2 Channel

Potential Compliance Exposure

PCI DSS 4.0 – Security of System Components

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA (Digital Operational Resilience Act) – ICT Risk Management Framework

CISA ZTMM 2.0 – Continuous Vulnerability Assessment

NIS2 Directive – Security of Network and Information Systems

Sector Implications

Financial Services

Health Care / Life Sciences

Government Administration

Information Technology/IT

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads