CVE-2025-64155

CRITICAL EXPLOITED

FortiSIEM 6.7.0-6.7.10, 7.0.0-7.0.4, 7.1.0-7.1.8, 7.3.0-7.3.4, 7.4.0 - OS Command Injection via TCP Requests

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-64155 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 6 public exploits from researchers including horizon3ai, XiaomingX, exploitChains.

AI-analyzed exploit summary This PoC exploits an argument injection vulnerability in Fortinet FortiSIEM to achieve remote code execution as root. It sends a crafted XML payload to the Phoenix Monitor service, which triggers a file write via a cron job, leading to RCE.

Description

An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4, FortiSIEM 7.1.0 through 7.1.8, FortiSIEM 7.0.0 through 7.0.4, FortiSIEM 6.7.0 through 6.7.10 may allow an attacker to execute unauthorized code or commands via crafted TCP requests.

Exploits (6)

nomisec WORKING POC 30 stars
by horizon3ai · remote
https://github.com/horizon3ai/CVE-2025-64155

This PoC exploits an argument injection vulnerability in Fortinet FortiSIEM to achieve remote code execution as root. It sends a crafted XML payload to the Phoenix Monitor service, which triggers a file write via a cron job, leading to RCE.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Fortinet FortiSIEM
No auth needed
Prerequisites: Network access to the target's Phoenix Monitor service (default port 7900) · Ability to host a malicious HTTP server to serve the payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github SCANNER 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2025/CVE-2025-64155

This repository contains a Python-based scanner for detecting CVE-2025-64155, a command injection vulnerability in the Phoenix Monitor service. The scanner uses a time-based detection method by injecting a 'sleep' command into the 'cluster_url' parameter of the 'handleStorageRequest' command (ID: 1075724911) and measuring response delays.

Classification
Scanner 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Phoenix Monitor service
No auth needed
Prerequisites: Network access to the Phoenix Monitor service (default port 7900) · SSL/TLS connectivity to the target
devstral-2 · analyzed Feb 27, 2026 Full analysis →
github SUSPICIOUS 2 stars
by exploitChains · pythonpoc
https://github.com/exploitChains/poc-collection/tree/main/CVE-2025-64155

The repository contains only a README with a link to an external GitHub repository, lacking any actual exploit code or technical details. This is characteristic of a social engineering lure.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Fortinet FortiSIEM
No auth needed
Prerequisites: none provided
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec SCANNER 1 stars
by cyberdudebivash · poc
https://github.com/cyberdudebivash/CYBERDUDEBIVASH-FortiSIEM-CVE-2025-64155-Scanner

This repository contains a scanner for CVE-2025-64155, a command injection vulnerability in FortiSIEM's phMonitor service. The tool checks for open TCP/7900 and optionally probes for vulnerable handler behavior without exploiting the system.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: FortiSIEM (versions prior to 7.4.1)
No auth needed
Prerequisites: Network access to target · TCP/7900 accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by purehate · remote
https://github.com/purehate/CVE-2025-64155-hunter

This repository contains a Python-based scanner for detecting CVE-2025-64155, a command injection vulnerability in the Phoenix Monitor service. The scanner uses a time-based detection method by injecting a 'sleep 3' command into the 'cluster_url' parameter of the 'handleStorageRequest' command.

Classification
Scanner 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Phoenix Monitor service
No auth needed
Prerequisites: Network access to the Phoenix Monitor service · Service running on default or specified port (7900)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by Mefhika120 · poc
https://github.com/Mefhika120/Ashwesker-CVE-2025-64155

This repository contains a detailed writeup for CVE-2025-64155, a critical OS command injection vulnerability in Fortinet FortiSIEM allowing unauthenticated remote code execution with root privileges. The README provides vulnerability details, affected versions, mitigation steps, and references.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Fortinet FortiSIEM versions 6.7.0-6.7.10, 7.0.0-7.0.4, 7.1.0-7.1.8, 7.2.0-7.2.6, 7.3.0-7.3.4, 7.4.0
No auth needed
Prerequisites: Network access to TCP port 7900 on vulnerable FortiSIEM instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0009
EPSS Percentile 25.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2026-01-15
CWE
CWE-78
Status published
Products (2)
fortinet/fortisiem 7.4.0
fortinet/fortisiem 6.7.0 - 7.1.9
Published Jan 13, 2026
Tracked Since Feb 18, 2026