Socura

CVE-2025-25256 is a critical vulnerability affecting Fortinet’s FortiSIEM that allows a remote attacker to execute arbitrary commands on a target FortiSIEM appliance. Crucially, this attack requires no authentication credentials and no interaction from a legitimate user. Fortinet’s official advisory confirmed that exploit has been seen in the wild. Threat actors are actively mapping potential targets and are pre-positioned to exploit this new vulnerability on a mass scale.

Root Cause

The attack surface is the phMonitor service, an internal component of the FortiSIEM platform. This service is a C++ binary that listens on TCP port 7900 and is responsible for monitoring the health of other FortiSIEM processes and distributing tasks between the Supervisor and Worker nodes that form a FortiSIEM cluster.

Researchers pinpointed the vulnerable code is within the phMonitorProcess::handleStorageArchiveRequest function which is designed to handle requests related to the archiving of data to external storage.

The root cause lies in the use of an insecure, custom-developed function named ShellCmd::addParaSafe to process user-controlled input before it is used to construct an operating system command. This function attempts to sanitise input by escaping single and double quote characters however the function fails to neutralise other shell metacharacters .

Exploitation process

Crafting the Malicious Payload: The attacker constructs a malicious XML payload with several specific conditions identified through reverse engineering:

The <scope> XML element must contain the value local.
The <archive_storage_type> element must be set to nfs. The code path explicitly checks for and exits if the type is hdfs.
The payload must include non-empty values for both the <archive_nfs_server_ip> and <archive_nfs_archive_dir> elements.

Command Injection: The attacker embeds the malicious OS commands within the values of the <archive_nfs_server_ip> or <archive_nfs_archive_dir> elements.

Command Construction on the Server: The handleStorageArchiveRequest function parses the malicious XML payload. It then takes the attacker-controlled values from the archive_nfs_server_ip and archive_nfs_archive_dir fields and passes them through the insecure ShellCmd::addParaSafe function. These “sanitized” values are then used as arguments in the construction of a command string that executes a Python script located at /opt/phoenix/deployment/jumpbox/datastore.py.

Execution: Because addParaSafe fails to neutralize the injected shell metacharacters, the final command string built by the application now contains the attacker’s malicious commands. This complete string is then executed on the FortiSIEM appliance with the privileges of the user account running the phMonitor service, resulting in unauthenticated remote command execution.

Vulnerable Versions

Product Branch

Affected Version Range

Patched/Fixed Version

FortiSIEM 7.4

Not Affected

N/A

FortiSIEM 7.3

7.3.0 through 7.3.1

Upgrade to 7.3.2 or above

FortiSIEM 7.2

7.2.0 through 7.2.5

Upgrade to 7.2.6 or above

FortiSIEM 7.1

7.1.0 through 7.1.7

Upgrade to 7.1.8 or above

FortiSIEM 7.0

7.0.0 through 7.0.3

Upgrade to 7.0.4 or above

FortiSIEM 6.7

6.7.0 through 6.7.9

Upgrade to 6.7.10 or above

FortiSIEM 6.6

All versions