A critical command injection issue in Fortinet FortiSIEM has been disclosed along with public exploit code, and researchers claim attackers could have been remotely achieving unauthenticated root access to the SIEM platform for nearly three years. The flaw belongs to a class of weakness in FortiSIEM, going back to 2023 and 2024.
Tracked as CVE-2025-64155, the vulnerability affects the phMonitor service, an internal FortiSIEM component that runs elevated privileges and plays a central role in system health and monitoring. The exploit code was disclosed this week by pentesting platform Horizon3.ai, which revealed that the flaw enables attackers to inject commands and write arbitrary files that are later executed as the root user.
According to Horizon3, the flaw was responsibly disclosed to Fortinet in August 2025 and remained private until the vendor released fixes and assigned a CVE on Tuesday.
phMonitor becomes an unauthenticated root gateway
The issue concerns FortiSIEM’s phMonitor service, which listens on TCP port 7900 and is designed to coordinate internal monitoring tasks. According to Horizon3.ai, insufficient input sanitization allows attackers to inject shell commands that ultimately get written to disk and executed with root privileges without authentication.
Because phMonitor is deeply integrated into FortiSIEM’s operational workflow, successful exploitation effectively hands attackers full control of the security information and even management (SIEM) appliance. That control can be leveraged to disable logging, tamper with alerts, or pivot laterally into the broader enterprise network.
Horizon3 researchers noted in a blog post that CVE-2025-64155 is not an isolated flaw but part of a broader class of phMonitor-related weaknesses that have surfaced over multiple disclosure cycles. Previously reported issues affecting the same service have enabled different forms of command or argument injection, sometimes with more limited primitives, but consistently exposing phMonitor as an unauthenticated attack surface.
“The phMonitor service marshals incoming requests to their appropriate function handlers based on the type of command sent in the API request,” they said. “Every command handler is mapped to an integer, which is passed in the command message. Security issue #1 is that all of these handlers are exposed and available for any remote client to invoke without any authentication.”
Prior to the CVE-2025-64155 disclosure, Fortinet had already patched a related critical command injection flaw in FortiSIEM tracked as CVE-2025-25256 earlier in August 2025. That vulnerability also stemmed from improper handling of OS commands input and was significant enough that Fortinet acknowledged working exploit code in the wild, prompting fixes in multiple supported FortiSIEM releases.
Exploit code changes the risk equation
While Fortinet has released patches and mitigation guidance, Tenable’s analysis highlights the likelihood of real-world attacks as a working exploit code is now public.
“The recent disclosure of CVE-2025-64155 alongside public exploit code is a worrisome start to 2026,” said Scott Caveza, senior staff research engineer at Tenable. “Although no known exploitation has been reported, Fortinet vulnerabilities remain a top prize for attackers–including nation-state groups.”
Both Horizon3 and Tenable stress that organizations should immediately apply Fortinet’s patches and restrict access to port 7900 wherever possible. Even in the absence of confirmed exploitation, CVE-2025-64155 represents a high-value target.
CVE-2025-64155 carries a critical severity rating with a CVSS score of 9.4 out of 10, and affects multiple FortiSIEM releases, including 7.4.0, 7.3.0-7.3.4, 7.1.0-7.1.8,7.0.0-7.0.4, and 6.7.0-6.7.10. Fortinet has released patched builds such as FortiSIEM 7.4.1,7.3.5,7.2.7, and 7.1.9 (and later) to address the issue.