August 13, 2025 — Fortinet has released a critical security advisory concerning a severe vulnerability in its FortiSIEM platform, confirming that exploit code for this flaw is already circulating in the wild.

The bug, tracked as CVE-2025-25256, holds a CVSS severity rating of 9.8 out of 10, placing it in the highest risk category.

According to Fortinet, the issue stems from an OS Command Injection vulnerability (CWE-78). This flaw could allow an unauthenticated attacker to execute arbitrary commands or code on affected systems by sending specially crafted CLI requests.

Impacted Versions

The following FortiSIEM versions are vulnerable:

• FortiSIEM 6.1 to 6.6 – Migrate to a patched release
• FortiSIEM 6.7.0 to 6.7.9 – Upgrade to 6.7.10 or later
• FortiSIEM 7.0.0 to 7.0.3 – Upgrade to 7.0.4 or later
• FortiSIEM 7.1.0 to 7.1.7 – Upgrade to 7.1.8 or later
• FortiSIEM 7.2.0 to 7.2.5 – Upgrade to 7.2.6 or later
• FortiSIEM 7.3.0 to 7.3.1 – Upgrade to 7.3.2 or later
• FortiSIEM 7.4 – Not affected

Exploit Code Detected in the Wild

Fortinet confirmed that functional exploit code has been observed in real-world environments, though it did not provide details about its distribution or origin. The company also warned that the exploitation method does not produce clear indicators of compromise (IoCs), making detection more challenging.

Recommended Mitigations

While applying security updates is strongly advised, Fortinet recommends the following workaround for organizations unable to upgrade immediately:

• Restrict access to the phMonitor port (7900) to minimize potential attack vectors.

Growing Threat Landscape

This disclosure arrives just one day after threat intelligence firm GreyNoise reported a sharp increase in brute-force activity targeting Fortinet SSL VPN devices. The surge involves numerous IP addresses from countries including the United States, Canada, Russia, and the Netherlands, scanning devices worldwide.

Source: https://thehackernews.com/2025/08/fortinet-warns-about-fortisiem.html