Published On: Oct 27, 2025 17:05
Advisory No: TZCERT-SA-25-0116
Source: Fortinet
Software Affected: FortiSIEM 5.4.x (all), 6.1.x – 6.6.x (all), 6.7.0 – 6.7.9, 7.0.0 – 7.0.3, 7.1.0 – 7.1.7, 7.2.0 – 7.2.5, 7.3.0 – 7.3.1.
A critical vulnerability has been identified in FortiSIEM which allows an unauthenticated remote attacker to execute arbitrary operating system commands on the affected system. Immediate action is required for all deploying organizations.
The vulnerability tracked as CVE-2025-25256 exists due to improper input validation in FortiSIEM’s CLI component. An attacker can send specially crafted requests to the service (commonly using TCP port 7900), resulting in arbitrary command execution with elevated privileges. The flaw affects the following versions 5.4.x (all), 6.1.x – 6.6.x (all), 6.7.0 – 6.7.9, 7.0.0 – 7.0.3, 7.1.0 – 7.1.7, 7.2.0 – 7.2.5, 7.3.0 – 7.3.1. The vulnerability is rated Critical (CVSS v3.1 Base Score: 9.8).
Successful exploitation of this vulnerability could allow a remote attacker to gain complete control over the affected FortiSIEM system. The attacker may execute arbitrary commands with elevated privileges, alter or delete critical log data, disable security monitoring functions, and use the compromised appliance to pivot within the internal network. This poses a serious threat to the confidentiality, integrity, and availability of organizational security operations.
Fortinet has released security updates to address this vulnerability under advisory FG-IR-25-152. Users are strongly advised to upgrade FortiSIEM to the latest fixed versions to eliminate the risk of exploitation. Where immediate patching is not possible, organizations should restrict access to TCP port 7900, limit administrative connections to trusted networks, and closely monitor FortiSIEM logs for any suspicious activity until updates can be applied.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.
