Technical details and a public exploit have been published for a critical vulnerability affecting Fortinet's Security Information and Event Management (SIEM) solution that could be leveraged by a remote, unauthenticated attacker to execute commands or code.
The vulnerability is tracked as CVE-2025-25256, and is a combination of two issues that permit arbitrary write with admin permissions and privilege escalation to root access.
Researchers at penetration testing company Horizon3.ai reported the security issue in mid-August 2025. In early November, Fortinet addressed it in four out of five development branches of the product and announced this week that all vulnerable versions have been patched.
Fortinet describes the CVE-2025-25256 vulnerability as "an improper neutralization of special elements used in an OS command vulnerability in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests."
Horizon3.ai has published a detailed write-up explaining that the root cause of the issue is the exposure of dozens of command handlers on the phMonitor service, which can be invoked remotely without authentication.
The researchers say that this service has been the entry point for multiple FortiSIEM vulnerabilities over several years, like CVE-2023-34992 and CVE-2024-23108, and underline that ransomware groups like Black Basta have previously shown sincere interest in these flaws.
Along with technical details about CVE-2025-25256, the researchers have also published a demonstrative exploit. Since the vendor delivered the fix and published a security advisory, the researchers decided to share the exploit code.
The flaw impacts FortiSIEM versions from 6.7 to 7.5, and fixes were made available to the following releases:
FortiSIEM 7.4.1 or above
FortiSIEM 7.3.5 or above
... continue reading