How do I fix the unauthenticated remote command injection in Fortinet FortiSIEM?

Home » Cybersecurity » How do I fix the unauthenticated remote command injection in Fortinet FortiSIEM?

Table of Contents

Is your network exposed to the critical FortiSIEM CVE-2025-64155 RCE vulnerability?
Technical Breakdown of CVE-2025-64155
Impacted Versions and Patch Information
Context: The Discovery by Horizon3
Related Security Risks
Recommended Remediation Strategy

Is your network exposed to the critical FortiSIEM CVE-2025-64155 RCE vulnerability?

A critical security flaw currently threatens specific versions of Fortinet’s Security Information and Event Management (SIEM) product. This vulnerability, tracked as CVE-2025-64155, allows unauthorized actors to execute commands remotely. Fortinet released a mandatory update to neutralize this threat. Administrators managing these systems must patch their environments immediately.

Technical Breakdown of CVE-2025-64155

Publicly acknowledged on January 13, 2026, this vulnerability stems from improper neutralization of elements within an OS command. This flaw acts as an “OS command injection” vector.

The mechanism is straightforward: the system fails to validate specific inputs. An attacker sends manipulated TCP requests to the target. Because the input is not sanitized, the system executes the attacker’s malicious code. This process requires no authentication. A remote adversary can gain control of the SIEM appliance without valid credentials.

Impacted Versions and Patch Information

This vulnerability affects a wide range of FortiSIEM iterations. Compare your current deployment against the following list:

Version 7.4.0
Versions 7.3.0 through 7.3.4
Versions 7.1.0 through 7.1.8
Versions 7.0.0 through 7.0.4
Versions 6.7.0 through 6.7.10

Fortinet addressed this issue in security advisory FG-IR-25-772. Refer to this document for the specific patch files required for remediation.

Context: The Discovery by Horizon3

Security researchers at Horizon3 identified this flaw during a retrospective analysis. They were investigating a previous advisory from August 2025 (CVE-2025-25256) when they discovered deeper systemic issues.

Their research highlighted an unauthenticated argument injection vulnerability. This flaw allows arbitrary file writing. Consequently, an attacker can modify system files to escalate privileges. This chain of exploits grants the attacker root access, providing total control over the FortiSIEM appliance. Horizon3 has published a Proof of Concept (PoC) and detailed Indicators of Compromise (IoCs) to assist defenders in detecting active exploitation.

Related Security Risks

Security teams should also note a concurrent advisory released on January 13, 2026. FG-IR-25-084 addresses a heap-based buffer overflow in the cw_acd daemon, tracked as CVE-2025-25249. While distinct from the command injection issue, it represents a significant risk that requires attention during your patch cycle.

Recommended Remediation Strategy

Audit: Verify the version numbers of all FortiSIEM instances in your infrastructure.
Patch: Apply the updates listed in advisory FG-IR-25-772 immediately.
Investigate: Use the IoCs provided by Horizon3 to scan logs for signs of prior compromise.
Review: Ensure the patch for the secondary vulnerability (CVE-2025-25249) is also applied.