A critical security flaw was recently patched by Fortinet through update releases, which significantly impacted FortiSIEM . An unauthenticated attacker could have exploited this weakness to execute arbitrary code on vulnerable instances.
The operating system has a security flaw, labeled CVE-2025-64155, which has a severity rating of 9.4 out of 10.0 on the CVS rating scale.
Specifically, the issue affects how FortiSIEM’s phMonitor service, a crucial backend process responsible for health monitoring, task dispatching, and inter-node communication over TCP port 7900, handles incoming requests for security event logging to Elasticsearch.
The limited file writing capability can be manipulated to gain full system control by injecting curl arguments that create a reverse shell in the “/opt/charting/redishb.sh” file. Since the file can be modified by a user with administrative privileges and executed every minute via a cron job running with root privileges, it lends itself to this exploit.
In other words, writing a reverse shell in this file allows escalation of privileges from administrator to root, granting the attacker unrestricted access to the FortiSIEM appliance. The most important aspect of the attack is that the phMonitor service exposes several command handlers that do not require authentication. This makes it easy for an attacker to access these functions simply by gaining network access to port 7900.
The discovery was made by Zach Hanley, a security researcher at Horizon3.ai, who is credited with discovering and reporting the flaw on August 14, 2025.
Fortinet said the vulnerability only affects Super and Worker nodes and has been fixed in the following releases:
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
