FortiSIEM Remote Unauthenticated Command Injection

Fortra is actively researching improper neutralization of special elements used in an OS command injection vulnerability [CWE-78] in FortiSIEM. This vulnerability may allow an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests.

Who is affected?

CVE-2025-25256 impacts the following versions of FortiSIEM:

• FortiSIEM 7.3.0 - 7.3.1
• FortiSIEM 7.2.0 - 7.2.5
• FortiSIEM 7.1.0 - 7.1.7
• FortiSIEM 7.0.0 - 7.0.3
• FortiSIEM 6.7.0 - 6.7.9
• FortiSIEM 6.6 - all versions
• FortiSIEM 6.5 - all versions
• FortiSIEM 6.4 - all versions
• FortiSIEM 6.3 - all versions
• FortiSIEM 6.2 - all versions
• FortiSIEM 6.1 - all versions
• FortiSIEM 5.4 - all versions

What can I do?

Customers should limit access to the phMonitor port 7900 to mitigate this vulnerability and protect themselves.

The vendor has released the following updates to resolve this vulnerability:

Additional information can be found at:

• Vendor Advisory: PSIRT - FortiGuard Labs
• NIST Advisory: NVD - CVE-2025-25256

How is Fortra helping me?

Fortra is actively researching this threat to build detection capabilities.

• Tripwire IP360: Tripwire released local scan coverage on August 19, 2025, to identify vulnerable instances. The following table identifies matching vulnerabilities.

Updates

Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated as new information about it and related security coverage becomes available.

9/19/2025: Tripwire released local scan coverage to identify vulnerable instances for CVE-2025-25256.