Fortinet fixed multiple vulnerabilities across its products this week, including a critical flaw in FortiSIEM that can allow unauthenticated attackers to execute unauthorized code or commands. More importantly, the company said a working exploit for this flaw was detected in the wild.
The vulnerability, tracked as CVE-2025-25256, stems from improper sanitization of special elements in OS command requests sent to the command line interface (CLI) and was fixed in versions 7.3.2, 7.2.6, 7.1.8, 7.0.4, and 6.7.10. FortiSIEM 7.4 is not impacted, and all versions below and including 6.6 are affected but should migrate to one of the supported branches because they won’t receive a fix.
FortiSIEM is a hardware and virtual appliance that performs security information and event management (SIEM). It analyzes network traffic and logs to detect threats and perform incident response.
Users who cannot upgrade are advised to filter communications on port 7900, which is used by the phMonitor component to monitor the health of system processes and to distribute tasks to them.
Fortinet also fixed a high severity authentication bypass flaw, CVE-2024-26009, in FortiOS, FortiProxy, and FortiPAM. The vulnerability can only be exploited on devices managed by a FortiManager appliance through the proprietary FGFM protocol, and the attacker knows the device’s serial number. If exploitation is successful, attackers can execute arbitrary code and commands on the system.
Other fixes released this week address medium-risk flaws in various products, including a path traversal resulting in arbitrary file overwrite (CVE-2024-52964) and unauthorized command execution, a double-free memory issue (CVE-2023-45584) leading to unauthorized code execution, an incorrect privilege assignment in Security Fabric (CVE-2025-53744) leading to privilege escalation, and an integer overflow (CVE-2025-25248) leading to denial of service.
FortiOS brute-force attacks on the rise
On the same day as these fixes, malicious traffic monitoring firm GreyNoise reported seeing a significant spike in brute-force traffic directed at Fortinet SSL VPNs since the beginning of the month. According to GreyNoise research, spikes in brute-force traffic can be a sign that a new vulnerability is being probed before disclosure.
“Spikes like this often precede the disclosure of new vulnerabilities affecting the same vendor — most within six weeks,” the company said in its report. “In fact, GreyNoise found that spikes in activity triggering this exact tag are significantly correlated with future disclosed vulnerabilities in Fortinet products.”
It’s worth noting that the spikes observed by GreyNoise came in two waves: the first began on Aug. 3 and, based on TCP its signature, targeted a FortiOS device profile; the second began on Aug. 5 and matched a TCP signature for FortiManager – FGFM profile. Whether this had anything to do with the high-severity CVE-2024-26009 authentication bypass vulnerability patched by Fortinet this week is unclear.
No Responses