PoC Released for Fortinet FortiSIEM Command Injection Flaw

Security researchers have uncovered a severe pre-authentication command injection vulnerability in Fortinet’s FortiSIEM platform that allows attackers to completely compromise enterprise security monitoring systems without any credentials.

The vulnerability, designated CVE-2025-25256, has already been exploited by attackers in real-world scenarios, raising urgent concerns about the security of critical infrastructure monitoring tools.

Enterprise Security Platform Hit by Critical Flaw

FortiSIEM, Fortinet’s flagship Security Information and Event Management (SIEM) solution, is widely deployed across enterprise environments to monitor security events, correlate threats, and provide automated incident response capabilities.

The platform is designed to be the central nervous system of corporate security operations centers (SOCs), making this vulnerability particularly concerning for organizations worldwide.

The flaw exists within the phMonitor component, a C++ binary that operates on port 7900 and is responsible for monitoring the health of FortiSIEM processes.

Researchers from watchTowr Labs discovered that the vulnerability stems from inadequate ...