Exploit code has been published for CVE-2025-64155, a critical command injection vulnerability affecting Fortinet FortiSIEM devices.
Key takeaways:
- CVE-2025-64155 is a critical operating system (OS) command injection vulnerability affecting Fortinet FortiSIEM.
Fortinet vulnerabilities have historically been common targets for cyber attackers, with 23 Fortinet CVEs currently on the CISA KEV list.
Public exploit code has been released, increasing the likelihood that CVE-2025-64155 could be exploited by attackers.
Background
On January 13, Fortinet published a security advisory (FG-IR-25-772) for CVE-2025-64155, a critical command injection vulnerability affecting Fortinet FortiSIEM.
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2025-64155 | Fortinet FortiSIEM Command Injection Vulnerability | 9.4 |
Analysis
CVE-2025-64155 is a critical operating system (OS) command injection vulnerability affecting Fortinet FortiSIEM. A remote, unauthenticated attacker can exploit this flaw to execute arbitrary code using specially crafted requests. Historical Exploitation of Fortinet Devices Fortinet vulnerabilities have historically been common targets for cyber attackers, with 23 Fortinet CVEs currently on the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list. At the time this blog was published on January 14, CVE-2025-64155 had not been added to the KEV, however we anticipate that it is likely to be added in the near future. As Fortinet devices have been popular targets for attackers, the Tenable Research Special Operations Team (RSO) has authored several blogs about vulnerabilities affecting these devices. The following table outlines some of the most impactful Fortinet vulnerabilities in recent years.
| CVE | Description | Published | Tenable Blog |
|---|---|---|---|
| CVE-2025-64446 | Fortinet FortiWeb Path Traversal Vulnerability | November 2025 | CVE-2025-64446: Fortinet FortiWeb Zero-Day Path Traversal Vulnerability Exploited in the Wild |
| CVE-2025-25256 | Fortinet FortiSIEM Command Injection Vulnerability | August 2025 | CVE-2025-25256: Proof of Concept Released for Critical Fortinet FortiSIEM Command Injection Vulnerability |
| CVE-2025-32756 | Fortinet FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera Arbitrary Code Execution Vulnerability | May 2025 | CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild |
| CVE-2024-55591 | Fortinet Authentication Bypass in FortiOS and FortiProxy | January 2025 | CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild |
| CVE-2024-21762 | Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpnd | February 2024 | CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability |
| CVE-2023-27997 | FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability | June 2023 | CVE-2023-27997: Heap-Based Buffer Overflow in Fortinet FortiOS and FortiProxy SSL-VPN (XORtigate) |
| CVE-2022-42475 | FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability | December 2022 | CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNsAA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 |
| CVE-2022-40684 | FortiOS and FortiProxy Authentication Bypass Vulnerability | October 2022 | CVE-2022-40684: Critical Authentication Bypass in FortiOS and FortiProxy |
Proof of concept
On January 13, in coordination with the release of the advisory by Fortinet, researchers at Horizon3.ai published a technical writeup as well as a proof of concept for CVE-2025-64155. While there has been no reports of in-the-wild exploitation, we anticipate that attackers will quickly incorporate this exploit into their attacks.
Solution
The following table details the affected and fixed versions of Fortinet FortiSIEM devices for CVE-2025-64155:
| Product Version | Affected Range | Fixed Version |
|---|---|---|
| FortiSIEM 6.7 | 6.7.0 through 6.7.10 | Migrate to a fixed release |
| FortiSIEM 7.0 | 7.0.0 through 7.0.4 | Migrate to a fixed release |
| FortiSIEM 7.1 | 7.1.0 through 7.1.8 | 7.1.9 or above |
| FortiSIEM 7.2 | 7.2.0 through 7.2.6 | 7.2.7 or above |
| FortiSIEM 7.3 | 7.3.0 through 7.3.4 | 7.3.5 or above |
| FortiSIEM 7.4 | 7.4.0 | 7.4.1 or above |
| FortiSIEM 7.5 | Not affected | – |
| FortiSIEM Cloud | Not affected | – |
Fortinet’s security advisory advises if immediate patching is not able to be performed, they recommend limiting access to the phMonitor port of 7900. We strongly recommend reviewing the advisory for updates as well as the latest on mitigation recommendations.
Identifying affected systems
A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-64155 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline. Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Fortinet devices by using the following subscription: 
Get more information
Fortinet FG-IR-25-772 Security Advisory Horizon3.AI Technical Writeup Join Tenable’s Research Special Operations (RSO) Team on the Tenable Community. Learn more about Tenable One, the Exposure Management Platform for the modern attack surface. 
First seen on securityboulevard.com
Jump to article: securityboulevard.com/2026/01/cve-2025-64155-exploit-code-released-for-critical-fortinet-fortisiem-command-injection-vulnerability/
