{"id":4385,"date":"2025-08-14T23:04:49","date_gmt":"2025-08-14T23:04:49","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4385"},"modified":"2025-08-14T23:04:49","modified_gmt":"2025-08-14T23:04:49","slug":"fortinet-patches-critical-flaw-with-public-exploit-in-fortisiem","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4385","title":{"rendered":"Fortinet patches critical flaw with public exploit in FortiSIEM"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Fortinet fixed multiple vulnerabilities across its products this week, including a critical flaw in FortiSIEM that can allow unauthenticated attackers to execute unauthorized code or commands. More importantly, the company said a working exploit for this flaw was detected in the wild.<\/p>\n

The vulnerability<\/a>, tracked as CVE-2025-25256, stems from improper sanitization of special elements in OS command requests sent to the command line interface (CLI) and was fixed in versions 7.3.2, 7.2.6, 7.1.8, 7.0.4, and 6.7.10. FortiSIEM 7.4 is not impacted, and all versions below and including 6.6 are affected but should migrate to one of the supported branches because they won\u2019t receive a fix.<\/p>\n

FortiSIEM is a hardware and virtual appliance that performs security information and event management (SIEM)<\/a>. It analyzes network traffic and logs to detect threats and perform incident response.<\/p>\n

Users who cannot upgrade are advised to filter communications on port 7900, which is used by the phMonitor component to monitor the health of system processes and to distribute tasks to them.<\/p>\n

Fortinet also fixed a high severity authentication bypass flaw<\/a>, CVE-2024-26009, in FortiOS, FortiProxy, and FortiPAM. The vulnerability can only be exploited on devices managed by a FortiManager appliance through the proprietary FGFM protocol, and the attacker knows the device\u2019s serial number. If exploitation is successful, attackers can execute arbitrary code and commands on the system.<\/p>\n

Other fixes released this week address medium-risk flaws in various products, including a path traversal resulting in arbitrary file overwrite (CVE-2024-52964<\/a>) and unauthorized command execution, a double-free memory issue (CVE-2023-45584<\/a>) leading to unauthorized code execution, an incorrect privilege assignment in Security Fabric (CVE-2025-53744<\/a>) leading to privilege escalation, and an integer overflow (CVE-2025-25248<\/a>) leading to denial of service.<\/p>\n

FortiOS brute-force attacks on the rise<\/h2>\n

On the same day as these fixes, malicious traffic monitoring firm GreyNoise reported seeing a significant spike in brute-force traffic directed at Fortinet SSL VPNs<\/a> since the beginning of the month. According to GreyNoise research, spikes in brute-force traffic can be a sign that a new vulnerability is being probed before disclosure.<\/p>\n

\u201cSpikes like this often precede the disclosure of new vulnerabilities affecting the same vendor \u2014 most within six weeks,\u201d the company said in its report. \u201cIn fact, GreyNoise found that spikes in activity triggering this exact tag are significantly correlated with future disclosed vulnerabilities in Fortinet products.\u201d<\/p>\n

It\u2019s worth noting that the spikes observed by GreyNoise came in two waves: the first began on Aug. 3 and, based on TCP its signature, targeted a FortiOS device profile; the second began on Aug. 5 and matched a TCP signature for FortiManager \u2013 FGFM profile. Whether this had anything to do with the high-severity CVE-2024-26009 authentication bypass vulnerability patched by Fortinet this week is unclear.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Fortinet fixed multiple vulnerabilities across its products this week, including a critical flaw in FortiSIEM that can allow unauthenticated attackers to execute unauthorized code or commands. More importantly, the company said a working exploit for this flaw was detected in the wild. The vulnerability, tracked as CVE-2025-25256, stems from improper sanitization of special elements in […]<\/p>\n","protected":false},"author":0,"featured_media":4386,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4385","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4385"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4385"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4385\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4386"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4385"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4385"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4385"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}