Fortinet is warning about a remote unauthenticated command injection flaw in FortiSIEM that has in-the-wild exploit code, making it critical for admins to apply the latest security updates.
FortiSIEM is a central security monitoring and analytics system used for logging, network telemetry, and security incident alerts, serving as an integral part of security operation centers, where it's an essential tool in the hands of IT ops teams and analysts.
The product is generally used by governments, large enterprises, financial institutions, healthcare providers, and managed security service providers (MSSPs).
The flaw, tracked as CVE-2025-25256 and rated critical (CVSS: 9.8), impacts multiple branches of SIEM, from 5.4 up to 7.3.
"An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests," describes Fortinet.
While Fortinet does not outright state that the flaw was exploited as a zero-day, they did confirm that functional exploit code exists for the flaw.
"Practical exploit code for this vulnerability was found in the wild," noted the vendor.
Fortinet says exploitation of this flaw does not produce distinctive IOCs to determine if a device has been compromised.
This disclosure comes a day after GreyNoise warned of a massive spike in brute-force attacks targeting Fortinet SSL VPNs earlier this month, followed by a switch to FortiManager. The network threat intelligence company warned that spikes of malicious traffic often precede the disclosure of a new vulnerability.
It is unclear if Fortinet's disclosure of CVE-2025-25256 is related to GreyNoise's report.
... continue reading