Fortinet’s Achilles Heel: FortiSIEM Flaw Ignites Global Hacking Frenzy

The ink was barely dry on Fortinet’s latest security advisory when cyber attackers pounced. Within hours of public disclosure, hackers worldwide - many from China - began targeting a newly revealed flaw in Fortinet’s FortiSIEM platform. For Fortinet customers, déjà vu: another year, another zero-day.

On January 13, Fortinet disclosed CVE-2025-64155, a critical OS command injection vulnerability in its FortiSIEM product. Security vendor Defused quickly observed a surge of exploitation attempts, mostly traced to a variety of global IPs, with a notable cluster from China. Simo Kohonen, Defused’s CEO, characterized the attack wave as “above average,” with at least 15 separate actors actively probing and exploiting the flaw.

The technical root of the issue lies in FortiSIEM’s phMonitor service, which handles process monitoring and command routing. According to Horizon3, who discovered and responsibly disclosed the bug, phMonitor’s command handlers are exposed to the internet - no authentication required. This gaping hole allows attackers to invoke powerful administrative functions remotely, including password retrieval and modification, simply by sending crafted TCP requests to the right port.

Worryingly, this is not phMonitor’s first security blunder. In recent years, similar vulnerabilities (CVE-2024-23108, CVE-2023-34992) have plagued the same service, each time granting attackers maximum control over FortiSIEM instances. While Fortinet has since reduced the number of exposed command handlers, this latest flaw proves that the attack surface, though smaller, remains dangerously exposed.

The situation escalated after Horizon3 published a detailed technical blog and a proof-of-concept exploit. Defused’s honeypots quickly detected attackers re-using the public exploit code - sometimes verbatim, placeholders and all. The open availability of weaponized code turbocharged the rate and scale of real-world attacks.

Fortinet has urged all customers running FortiSIEM versions 6.7 through 7.4 to patch immediately. As a stopgap, limiting external access to the phMonitor service (port 7900) is advised. But as history shows, attackers move fast - often faster than defenders can patch. The cycle of disclosure, exploitation, and remediation continues, with defenders hoping not to fall behind.

With FortiSIEM’s phMonitor in the crosshairs yet again, the episode underscores a grim reality: for critical edge devices, even a single exposed service can open the floodgates to global exploitation. As attackers become ever more agile, the burden is on vendors and customers alike to close gaps - before the next zero-day strikes.

WIKICROOK

• Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
• Proof: A Proof-of-Concept (PoC) is a demonstration showing that a cybersecurity vulnerability can be exploited, helping to validate and assess real risks.
• Command Injection: Command Injection is a vulnerability where attackers trick systems into running unauthorized commands by inserting malicious input into user fields or interfaces.
• Honeypot: A honeypot is a fake system set up to attract cyber attackers, enabling organizations to study attack methods without endangering real assets.
• CVSS Score: A CVSS Score rates the severity of security vulnerabilities from 0 to 10, with higher numbers indicating greater risk and urgency for response.