Fortinet customers are already familiar with 2026 even though the year has only just begun because a new vulnerability has been exploited This article explores fortisiem vulnerabilities cve. . A critical vulnerability in Fortinet's FortiSIEM platform, identified as CVE-2025-64155 and given a 9.4 CVSS score, was revealed on January 13.

Through carefully constructed TCP requests, an unauthenticated attacker can accomplish remote code execution (RCE) on FortSIEM instances thanks to the OS command injection vulnerability. CVE-2025-64155 has been exploited in the wild, according to a post made yesterday on X by cybersecurity vendor Defused. Defused's honeypots saw a lot of threat activity from various IP addresses, including three from Chinese providers.

In comparison to other critical flaws and exploits, Kohonen tells Dark Reading that the FortiSIEM flaw has received "above average attention" and that exploitation activity has increased to about 15 distinct actors. Fortinet was contacted by Dark Reading for comment, but as of the time of publication, the company had not replied. Related: Maximum Severity HPE OneView Flaw Exploited in the Wild ## Horizon3 found and reported a familiar attack surface for FortiSIEM CVE-2025-64155 to Fortinet, which released a proof-of-concept (PoC) exploit and technical blog post on Tuesday.

According to Kohonen, the PoC exploit for Horizon3 appeared to be used in the exploitation activity against Defused honeypots.

In an email, he states, "I think it's safe to say the PoC has heavily influenced exploitation, with some of the exploit payloads being very similar to the [Horizon3] code (at a few occasions even verbatim, which is funny because there are placeholders in the exploit PoC)." In the blog post, Horizon3 attack engineer Zach Hanley described how the vulnerability resulted from a previously discovered security flaw with FortiSIEM's phMonitor service, which keeps an eye on the platform's operations and routes incoming requests to the appropriate command handlers. Hanley claims that the problem is that any remote user can invoke phMonitor's command handlers without authentication.

Because of this, attackers are able to misuse these command handlers and exploit administrative features like password retrieval and setting. The phMonitor problem has also resulted in earlier vulnerabilities; Horizon3 researchers found two maximum-severity FortiSIEM vulnerabilities, CVE-2024-23108 and CVE-2023-34992. According to Hanley, phMonitor now has a much smaller attack surface with fewer exposed handlers than in previous years, when it exposed a large portion of the handlers for administrative functions.

Related: React Extends the Reach of the RondoDox Botnet2Shell Abuse However, it seems that phMonitor has reared its ugly head once more. Customers running FortiSIEM versions 6.7 through 7.4 that were vulnerable were advised by Fortinet to update to a fixed version. The vendor suggested restricting access to phMonitor via port 7900 as a temporary mitigation.