Warning: OS command injection vulnerability in FortiSIEM. PoC available, Patch Immediately!

Image
Decorative image
Published : 14/01/2026

    * Last update:  14/01/2026
   
    * Affected products:
         →FortiSIEM 7.4.0
         →FortiSIEM 7.3.0 through 7.3.4
         →FortiSIEM 7.1.0 through 7.1.8
         →FortiSIEM 7.0.0 through 7.0.4
         →FortiSIEM 6.7.0 through 6.7.10

    * Type: OS Command Injection

    * CVE/CVSS:

  • CVE-2025-64155: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

Fortinet - https://fortiguard.fortinet.com/psirt/FG-IR-25-772

Risks

CVE-2025-64155 in FortiSIEM allows an unauthenticated attacker to execute unauthorized code, which can lead to a full system compromise and expose potential sensitive information.

A SIEM is used to collect and analyze logs. Some networks are configured to expose a SIEM interface to the public internet which significantly increases the likelihood of exploitation. Successful attacks on these systems can then be used to move laterally onto the internal network.

A vulnerable instance that is publicly available over the internet can be at risk of a high impact on the confidentiality, integrity and availability.

Description

CVE-2025-64155 is an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability, where an unauthenticated attacker may execute unauthorized code or commands via crafted TCP requests.

Successful exploitation of this vulnerability allows an attacker to perform remote code execution on the affected host. PSIRT specifies that this vulnerability does not have impact on the collector nodes but only on the super and worker nodes.

Recommended Actions

Patch 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

NIST - https://nvd.nist.gov/vuln/detail/CVE-2025-64155