Summary
| Vulnerability Name | Command Injection in the phMonitor Service of Fortinet FortiSIEM (CVE-2025-64155) |
| Released on | January 15, 2026 |
| Affected Component | Fortinet FortiSIEM |
| Affected Version |
Fortinet FortiSIEM 7.4.0
7.3.0 ≤ Fortinet FortiSIEM ≤ 7.3.4
7.2.0 ≤ Fortinet FortiSIEM ≤ 7.2.6
7.1.0 ≤ Fortinet FortiSIEM ≤ 7.1.8
7.0.0 ≤ Fortinet FortiSIEM ≤ 7.0.4
6.7.0 ≤ Fortinet FortiSIEM ≤ 6.7.10
|
| Vulnerability Type | Command execution |
| Exploitation Condition |
1. User authentication: not required.
2. Precondition: default configurations.
3. Trigger mode: remote.
|
| Impact |
Exploitation difficulty: easy. Unauthorized attackers can exploit this vulnerability to execute arbitrary commands.
Severity: critical. This vulnerability can result in a server compromise.
|
| Official Solution | Available |
About the Vulnerability
Component Introduction
FortiSIEM is a comprehensive security information and event management (SIEM) product designed and developed by Fortinet. Its user and entity behaviour analytics (UEBA) feature provides a comprehensive set of capabilities, such as internal threat recognition, user behavior risk scoring, and compromised account detection. FortiSIEM is a robust network threat protection solution theoretically suitable for all enterprises. However, in practice, it is particularly suitable for enterprises that are using Fortinet devices such as FortiGate firewalls. This is because its native integration with FortiGate devices enables easier data sharing.
Vulnerability Description
On January 15, 2026, Sangfor FarSight Labs received notification of the command execution vulnerability in the phMonitor service of Fortinet FortiSIEM (CVE-2025-64155), classified as critical in threat level.
Specifically, the phMonitor service of Fortinet FortiSIEM contains a command execution vulnerability. Unauthorized attackers can exploit this vulnerability to send malicious TCP requests and execute arbitrary commands with root permissions. This may lead to a server compromise.
Affected Versions
The following Fortinet FortiSIEM versions are affected:
- Fortinet FortiSIEM 7.4.0
- 7.3.0 ≤ Fortinet FortiSIEM ≤ 7.3.4
- 7.2.0 ≤ Fortinet FortiSIEM ≤ 7.2.6
- 7.1.0 ≤ Fortinet FortiSIEM ≤ 7.1.8
- 7.0.0 ≤ Fortinet FortiSIEM ≤ 7.0.4
- 6.7.0 ≤ Fortinet FortiSIEM ≤ 6.7.10
Solutions
Remediation Solutions
Official Solutions
The latest versions have been officially released to fix the vulnerability. Affected users are advised to update Fortinet FortiSIEM to the following versions as needed:
- Fortinet FortiSIEM 7.4.1
- Fortinet FortiSIEM 7.3.5
- Fortinet FortiSIEM 7.2.7
- Fortinet FortiSIEM 7.1.9
Temporary Solutions
- Restrict access to port 7900 of the phMonitor service.
- Follow the principle of least privilege to strictly control the scope of permissions for sensitive operations.
- Do not expose services to the Internet unless necessary, to limit the access sources to trusted ranges.
- Regularly update the system and components to secure versions so that known vulnerabilities can be patched at the earliest opportunity.
Sangfor Solutions
Proactive Vulnerability Detection
The following Sangfor service can proactively detect CVE-2025-64155 vulnerabilities and quickly identify vulnerability risks in batches in business scenarios:
- Athena Extended Detection and Response (XDR): The corresponding detection solution will be released on January 16, 2026. The rule ID is SF-2026-00433.
Vulnerability Monitoring
The following Sangfor services support CVE-2025-64155 vulnerability monitoring, and can quickly identify affected assets and the impact scope in business scenarios in real time through traffic collection:
- Athena Network Detection and Response (NDR): The corresponding monitoring solution will be released on January 16, 2026. The rule ID is 10011238.
- Athena Managed Detection and Response (MDR): The corresponding monitoring solution will be released on January 16, 2026. The rule ID is 10011238. In this case, make sure that Athena MDR is integrated with Athena NDR.
- Athena XDR: The corresponding monitoring solution will be released on January 16, 2026. The rule ID is 10011238.
Vulnerability Prevention
The following Sangfor services can effectively block CVE-2025-64155 exploits:
- Athena Next-Generation Firewall (NGFW): The corresponding prevention solution will be released on January 16, 2026. The rule ID is 10011238.
- Sangfor Web Application Firewall (WAF): The corresponding prevention solution will be released on January 16, 2026. The rule ID is 10011238.
- Athena MDR: The corresponding prevention solution will be released on January 16, 2026. The rule ID is 10011238. In this case, make sure that Athena MDR is integrated with Athena NGFW.
- Athena XDR: The corresponding prevention solution will be released on January 16, 2026. The rule ID is 10011238. In this case, make sure that Athena XDR is integrated with Athena NGFW.
Timeline
On January 15, 2026, Sangfor FarSight Labs received notification of the command execution vulnerability in the phMonitor service of Fortinet FortiSIEM (CVE-2025-64155).
On January 15, 2026, Sangfor FarSight Labs released a vulnerability alert.
Reference
https://fortiguard.fortinet.com/psirt/FG-IR-25-772
Learn More
Sangfor FarSight Labs researches the latest cyber threats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyber threats, providing fast and easy protection for customers.
