A critical vulnerability in Fortinet FortiSIEM is now being actively exploited by threat actors following the public release of proof-of-concept exploit code.
The flaw, tracked as CVE-2025-64155, is an OS command injection issue that allows a remote attacker to execute arbitrary shell commands on the target system. The vulnerability exists due to improper input validation in phMonitor. A remote unauthenticated attacker can send specially crafted packets to port 7900/TCP and execute arbitrary OS commands on the target system.
The vulnerability affects FortiSIEM versions 6.7 through 7.5. Fortinet has released patches and urges customers to upgrade to FortiSIEM 7.4.1, 7.3.5, 7.2.7, or 7.1.9 or later. Users running older releases are advised to migrate as soon as possible. For organizations unable to patch right away, Fortinet recommends restricting access to the phMonitor service on port 7900 as a temporary mitigation.
Just two days after patches were released, threat intelligence firm Defused observed active exploitation attempts in its honeypots, indicating that attackers are already leveraging the vulnerability in real-world attacks.
It also should be noted, that networking equipment maker Cisco has finally fixed a critical Cisco AsyncOS zero-day flaw (CVE-2025-20393) exploited in attacks against Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances since November 2025. The threat intelligence team Cisco Talos has attributed the attacks to a likely Chinese state-linked group, tracked as UAT-9686, which deployed persistent backdoors and tunneling tools such as AquaShell, AquaTunnel, and Chisel.