### Fortinet Issues Urgent Warning on Critical Vulnerability in FortiSIEM
Fortinet has raised alarms regarding a serious OS command injection flaw in its FortiSIEM platform, now designated as CVE-2025-25256. This security vulnerability is not only critical but is currently seeing active exploitation in the wild, earning a high CVSS score of 9.8, which underscores its significant threat potential.
### Understanding the Vulnerability and Affected Versions
The vulnerability arises from a failure to properly sanitize specific elements utilized within operating system commands, classified under CWE-78. This oversight permits unauthenticated attackers to remotely execute arbitrary code or commands by sending specifically crafted CLI requests, all without needing any user interaction.
The FortiSIEM versions impacted by this flaw include:
– 6.1 to 6.6
– 6.7.0 to 6.7.9 (users should upgrade to 6.7.10 or later)
– 7.0.0 to 7.0.3 (an upgrade to 7.0.4 or higher is advised)
– 7.1.0 to 7.1.7 (recommended to upgrade to 7.1.8 or later)
– 7.2.0 to 7.2.5 (upgrade to 7.2.6+)
– 7.3.0 to 7.3.1 (upgrade to 7.3.2+)
– Version 7.4 is not susceptible.
### Recommended Actions from Fortinet
In light of this significant vulnerability, Fortinet encourages immediate action. Organizations should either patch their systems to the latest fixed versions or, as a temporary measure, restrict access to the phMonitor port (TCP 7900). This port is commonly used for internal discovery and synchronization, making it crucial to limit its access to trusted internal hosts or IP addresses to mitigate potential risks.
Notably, Fortinet has reported that exploit code capable of leveraging this vulnerability is already circulating widely. To complicate matters, these exploits do not provide clear indicators of compromise (IoCs), making detection a challenging task for security teams.
### Rise in Brute-Force Attacks Targeting Fortinet SSL VPNs
This urgent advisory is especially critical as it follows GreyNoise’s recent identification of a marked increase in brute-force attempts aimed at Fortinet SSL VPN devices. As of August 3, 2025, more than 780 unique IP addresses from multiple countries, including the United States, Canada, Russia, and the Netherlands, targeted VPN endpoints worldwide, attempting unauthorized access.
Further analysis by GreyNoise revealed a shift in attack tactics around August 5, as aggressors moved from targeting FortiOS to focusing on FortiManager (FGFM) systems. This change indicates a possible adaptation in strategy as the attack unfolds.
This pattern aligns with GreyNoise’s broader observations, highlighting that surges in brute-force attack activity typically precede new CVE disclosures related to the same vendor, often occurring within a window of six weeks.
### Key Details about CVE-2025-25256
| **Issue** | **Details** |
|——————-|———————————————————|
| Vulnerability | CVE-2025-25256 – critical OS command injection in FortiSIEM (CVSS 9.8) |
| Exploit Status | Actively exploited; lacks clear IoCs |
| Affected Versions | FortiSIEM 6.1–7.3.1 (except 7.4) |
| Recommended Action | Patch to latest fixed version; restrict access to phMonitor port (TCP 7900) |
| Related Attack Trends| Large-scale brute-force attacks on SSL VPNs and shifts toward FortiManager |
| Strategic Insight | Spikes in brute-force attacks often precede new vulnerability disclosures |
Given the current landscape, organizations relying on FortiSIEM must act swiftly to implement necessary patches. If immediate updates aren’t feasible, tightening access to critical internal ports like 7900 can provide a temporary safeguard. Additionally, the recent uptick in brute-force attacks—particularly those pivoting toward FortiManager—indicates a concerted and escalating threat, demanding heightened vigilance.
