Fortinet is warning about a remote unauthenticated command injection flaw in FortiSIEM that has in-the-wild exploit code, making it critical for admins to apply the latest security updates.

FortiSIEM is a central security monitoring and analytics system used for logging, network telemetry, and security incident alerts, serving as an integral part of security operation centers, where it's an essential tool in the hands of IT ops teams and analysts.

The product is generally used by governments, large enterprises, financial institutions, healthcare providers, and managed security service providers (MSSPs).

The flaw, tracked as CVE-2025-25256 and rated critical (CVSS: 9.8), impacts multiple branches of SIEM, from 5.4 up to 7.3.

"An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests," describes Fortinet.

While Fortinet does not outright state that the flaw was exploited as a zero-day, they did confirm that functional exploit code exists for the flaw.

"Practical exploit code for this vulnerability was found in the wild," noted the vendor.

Fortinet says exploitation of this flaw does not produce distinctive IOCs to determine if a device has been compromised.

This disclosure comes a day after GreyNoise warned of a massive spike in brute-force attacks targeting Fortinet SSL VPNs earlier this month, followed by a switch to FortiManager. The network threat intelligence company warned that spikes of malicious traffic often precede the disclosure of a new vulnerability.

It is unclear if Fortinet's disclosure of  CVE-2025-25256 is related to GreyNoise's report.

Given the availability of an exploit proof of concept (PoC), organizations must apply the latest security updates for CVE-2025-25256 as soon as possible by upgrading to one of the following FortiSIEM versions:

• FortiSIEM 7.3.2
• FortiSIEM 7.2.6
• FortiSIEM 7.1.8
• FortiSIEM 7.0.4
• FortiSIEM 6.7.10

FortiSIEM versions 5.4 to 6.6 are also vulnerable in all versions, but they are no longer supported and will not receive a patch for the flaw. Administrators managing older FortiSIEM versions are advised to migrate to a newer, actively supported release.

Fortinet also included a workaround of limiting access to the phMonitor on port 7900, indicating that this is the entry point for malicious exploitation.

It's important to note that such workarounds reduce exposure and buy time until an upgrade can be performed. However, they do not fix the underlying vulnerability.