FortiSIEM RCE Flaw Lets Attackers Gain Root Without Auth

Fortinet has patched a critical remote code execution vulnerability in FortiSIEM that allows unauthenticated attackers to execute commands as root. Horizon3.ai, which discovered and reported the flaw, published technical details yesterday after a 151-day disclosure timeline.

The vulnerability, tracked as CVE-2025-64155, carries a CVSS score of 9.4. It affects FortiSIEM Super and Worker nodes across nearly all supported versions. FortiSIEM Cloud deployments are not impacted.

How the Attack Works

The flaw resides in the phMonitor service, a backend component that handles health monitoring and inter-node communication on TCP port 7900. The service exposes numerous command handlers—many of which require no authentication.

Horizon3.ai researchers found that attackers can inject arbitrary arguments into logging requests sent to Elasticsearch. This argument injection enables arbitrary file writes with admin-level privileges. From there, the path to root is straightforward.

The exploit weaponizes FortiSIEM's own cron job. By writing a reverse shell to /opt/charting/redishb.sh—a file the admin user can modify—attackers hijack a scheduled task that runs every minute with root permissions. The result: unauthenticated attackers gain complete control of the appliance.

The attack requires only network access to port 7900. No credentials needed. No user interaction.

Affected Versions

The vulnerability spans multiple FortiSIEM release branches:

• FortiSIEM 6.7.0 through 6.7.10 (migration required)
• FortiSIEM 7.0.0 through 7.0.4 (migration required)
• FortiSIEM 7.1.0 through 7.1.8 (upgrade to 7.1.9 or later)
• FortiSIEM 7.2.0 through 7.2.6 (upgrade to 7.2.7 or later)
• FortiSIEM 7.3.0 through 7.3.4 (upgrade to 7.3.5 or later)
• FortiSIEM 7.4.0 (upgrade to 7.4.1 or later)

Organizations running FortiSIEM 6.x or 7.0.x face the most complicated remediation—patches aren't available for these branches, so a full migration to a newer version is the only fix.

Immediate Mitigations

If patching immediately isn't feasible, Fortinet recommends restricting network access to the phMonitor service. Block or tightly limit access to TCP port 7900, ensuring FortiSIEM services are only reachable from trusted administrative networks.

This is a stopgap. The vulnerability is trivial to exploit once an attacker has network visibility, and SIEM platforms often have broad network access by design.

Disclosure Timeline

Horizon3.ai reported the vulnerability to Fortinet PSIRT on August 14, 2025. Fortinet confirmed reproduction on September 16. The public advisory dropped January 12, 2026—151 days after initial report.

The delay is notable. Fortinet products have been heavily targeted by both criminal and state-sponsored actors throughout 2025. Every day between disclosure and patch release represents a window where sophisticated attackers—who often acquire vulnerability details through their own research or underground markets—can exploit unpatched systems.

Why This Matters

FortiSIEM sits at the center of security operations for organizations that deploy it. These platforms ingest logs from across the enterprise, monitor for threats, and trigger incident response workflows. Compromising the SIEM gives attackers visibility into defensive capabilities while simultaneously providing a pivot point into connected systems.

The pattern is familiar. Security appliances—firewalls, VPNs, SIEM platforms—make attractive targets precisely because they have privileged network positions and are often trusted implicitly. This is the second major Fortinet vulnerability to require emergency attention in the past month.

Organizations running FortiSIEM should treat this as an emergency. Check your version, apply the appropriate update or migration, and restrict phMonitor access immediately.