Fortinet confirmed that the issue stems from an OS command injection vulnerability (CWE-78), where improper sanitization of special elements in system commands allows unauthenticated attackers to execute arbitrary code or commands through specially crafted TCP requests. The company released security updates on Tuesday to address the vulnerability.
Horizon3.ai released a detailed technical analysis revealing that the vulnerability stems from multiple command handlers exposed through the phMonitor service. These handlers can be accessed remotely without authentication, enabling attackers to trigger them directly. The company also published proof-of-concept exploit code demonstrating how an argument injection flaw can be leveraged to overwrite the /opt/charting/redishb.sh file, ultimately achieving code execution with root privileges.
The vulnerability impacts FortiSIEM versions 6.7 through 7.5. Fortinet recommends upgrading to one of the following patched versions: FortiSIEM 7.4.1 or later, 7.3.5 or later, 7.2.7 or later, or 7.1.9 or later. Organizations running FortiSIEM 7.0.0 through 7.0.4 and 6.7.0 through 6.7.10 should migrate to a supported fixed release to mitigate the risk.
Active Exploitation Status
On Tuesday, Fortinet issued a temporary mitigation for organizations unable to immediately deploy security updates, advising administrators to restrict access to the phMonitor service port (TCP/7900).
Two days later, threat intelligence firm Defused reported that adversaries are actively exploiting CVE-2025-64155 in real-world attacks. The company confirmed observing targeted exploitation attempts within its honeypot infrastructure.
“Fortinet FortiSIEM vulnerability CVE-2025-64155 is experiencing active, targeted exploitation in our honeypots.” Indicators of Compromise (IOC) GuidanceHorizon3.ai released indicators of compromise to assist defenders in identifying compromised systems. Administrators are advised to review the /opt/phoenix/log/phoenix.logs file and search for suspicious payload URLs associated with log entries containing PHL_ERROR.
Vendor Advisory StatusAs of this writing, Fortinet has not updated its official security advisory to reflect confirmed exploitation activity. BleepingComputer contacted Fortinet for comment, but no response was available at the time of reporting.
Related Fortinet Zero-Day Exploitation HistoryIn November, Fortinet disclosed that threat actors were exploiting a FortiWeb zero-day vulnerability (CVE-2025-58034). One week later, the company confirmed it had quietly patched another FortiWeb zero-day (CVE-2025-64446) that was also leveraged in widespread attacks.
Summarized Remediation Steps- Immediate: Restrict network access to the phMonitor service (TCP/7900) using firewall rules or network segmentation.
- Patch: Upgrade FortiSIEM to a fixed version (7.4.1+, 7.3.5+, 7.2.7+, or 7.1.9+).
- Migrate: Systems running FortiSIEM 7.0.x or 6.7.x must migrate to a supported patched release.
- Hunt for IOCs: Inspect /opt/phoenix/log/phoenix.logs for suspicious PHL_ERROR entries and embedded payload URLs.
- Network Monitoring: Detect anomalous inbound TCP/7900 access attempts and command execution patterns.
- Hardening: Enforce least privilege, restrict management interfaces, and deploy EDR with command injection detection.
- Backup & IR: Verify integrity of system scripts (e.g., /opt/charting/redishb.sh) and initiate incident response if tampering is detected.