16.01.2026
2 min
402
Fortinet FortiSIEM’s threat actor community is actively using an exploitable zero-day vulnerability to run their own commands with root privileges on an attacker’s server. Exploit code for this bug (CVE-2025-64155) was posted online prior to its use in live attacks.
This bug takes advantage of both privilege escalation and an OS command injection bug. As described in a recent post from Horizon3.ai researcher Zach Hanley, the vulnerability will allow an attacker to send a TCP request to the phMonitor service with crafted data that will allow an attacker to run any commands they want — without needing to authenticate.
There is a problem in the phMonitor service that provides remote access to multiple command handlers and therefore potentially hundreds of ways an attacker could be able to take control of a system. A technical write-up of the bug and a working PoC exploit were made available by Horizon3.ai showing how an attacker could get root by replacing the /opt/charting/redishb.sh script.
All versions of FortiSIEM from 6.7 to 7.5 are affected by this vulnerability. Fortinet has provided updates and encourages users to update to version 7.4.1, 7.3.5, 7.2.7, 7.1.9 or later. All other users are encouraged to migrate to one of the versions listed above.
According to a recent blog post from Defuse Labs (a threat intelligence company), they have seen evidence that the bug has been used in “real world” attacks. They also provided some examples of IOC (indicators of compromise) that may indicate the bug has been exploited. For example, if you see any entries like “PHL_ERROR” in your /opt/phoenix/log/phoenix.logs then it may be an indication that the bug has been used to attack your system.
Overall, this FortiSIEM vulnerability is a good reminder of how quickly bugs that provide attackers with public exploits are being used in the wild. Therefore, organizations that rely on FortiSIEM need to immediately apply security updates to their systems or block access to the phMonitor service so attackers cannot obtain complete control of the entire system.
