Fortinet warns users of a critical bug in FortiSIEM. Code that criminals can use to exploit the bug has already been spotted in the wild.
Fortinet warns its customers of a new vulnerability. CVE-2025-25256 is a severe bug that allows hackers to execute unauthorized code. Through a CLI request, it is possible to execute custom instructions on the operating system, allowing criminals to take over the entire environment. The bug has a CVSS score of 9.8.
Vulnerable Versions
FortiSIEM 7.4 is not vulnerable. Users of that version are safe. For FortiSIEM 6.6 and older (up to FortiSIEM 5.4), there is no patch, and Fortinet recommends upgrading to a secure release. The following FortiSIEM versions need to be patched:
- FortiSIEM 7.3: upgrade to 7.3.2 or higher
- FortiSIEM 7.2: upgrade to 7.2.6 or higher
- FortiSIEM 7.1: upgrade to 7.1.8 or higher
- FortiSIEM 7.0: upgrade to 7.0.4 or higher
- FortiSIEM 6.7: upgrade to 6.7.10 or higher
While awaiting an upgrade, companies can mitigate the risk through a workaround. It suffices to restrict access to the phMonitor port (7900).
Fortinet emphasizes that this bug is not merely theoretical. Functional code to exploit the vulnerability is already circulating on the internet. Prompt patching is therefore essential.
The bug follows a previous wave of attacks targeting Fortinet SSL-VPNs. Security company GreyNoise suddenly detected a spike in malicious login attempts using brute force or stolen credentials. It is unclear if the two issues are related.