The year has barely begun, but 2026 is already in familiar territory for Fortinet customers, as a new vulnerability has come under attack.
On Jan. 13, Fortinet disclosed a critical flaw in its FortiSIEM platform, tracked as CVE-2025-64155 and assigned a 9.4 CVSS score. The OS command injection vulnerability allows an unauthenticated attacker to achieve remote code execution (RCE) on FortSIEM instances through crafted TCP requests.
Yesterday, cybersecurity vendor Defused warned in a post on X that CVE-2025-64155 had been exploited in the wild. Much of the threat activity observed by Defused’s honeypots came from different IP addresses, including three from Chinese providers.
In a LinkedIn post, Simo Kohonen, Defused founder and CEO, said the company’s honeypots had received a “good amount” of targeted exploitation activity that began almost immediately after public disclosure. China-nexus threat groups have heavily targeted Fortinet, along with other edge device vendors, in recent years.
Kohonen tells Dark Reading that exploitation activity has expanded to roughly 15 differentiated actors, and that the FortiSIEM flaw has received “above average attention” compared to other critical flaws and exploits.
Dark Reading contacted Fortinet for comment, but the company had not responded at press time.
A Familiar Attack Surface for FortiSIEM
CVE-2025-64155 was discovered and reported to Fortinet by Horizon3, which published a technical blog post and proof-of-concept (PoC) exploit on Tuesday. Kohonen notes that the exploitation activity against Defused honeypots appeared to use Horizon3’s PoC exploit.
“I think it’s safe to say the PoC has influenced exploitation heavily, with some of the exploit payloads being very closely similar to the [Horizon3] code (at a few occasions even verbatim, which is funny because there are placeholders in the exploit PoC),” he says in an email.
Zach Hanley, attack engineer at Horizon3, explained in the blog post how the vulnerability stemmed from a previously identified security issue with FortiSIEM’s phMonitor service, which monitors the platform’s processes and directs incoming requests to the correct command handlers.
The issue, according to Hanley, is that phMonitor’s command handlers are exposed and available for any remote user to invoke without authentication. As a result, attackers can abuse these command handlers and take advantage of administrative functions like retrieving and setting passwords.
The phMonitor issue has led to earlier vulnerabilities, too; Horizon3 researchers previously discovered CVE-2024-23108 and CVE-2023-34992, which are both maximum-severity vulnerabilities in FortiSIEM. Hanley wrote that in prior years, phMonitor exposed much of the handlers for administrative functions but now has a significantly smaller attack surface with fewer exposed handlers.
Nevertheless, phMonitor appears to have reared its ugly head once again. Fortinet urged customers with vulnerable instances of FortiSIEM, versions 6.7 through 7.4, to update to a fixed version. As a temporary mitigation, the vendor recommended limiting access to phMonitor via port 7900.
