Security Operations, Vulnerability Management, Patch/Configuration Management, SOC, SIEM, Exposure management

FortiSIEM exploited in the wild via OS command injection, Fortinet warns

Fortinet on Aug. 12 reported that an OS command injection vulnerability in FortiSIEM has been observed exploited in the wild.

The bug — CVE-2025-25256 — could let unauthenticated hackers execute unauthorized code or commands via crafted CLI request. It was assigned a CVSS score of 9.8.

FortiSIEM usually gets used as the authoritative source of truth for security events in security operations centers (SOCs) — it's often where custom detections and threat hunting operate on. Security pros rely on FortiSIEM for keeping them abreast of important security trends.

John Bambenek, president at Bambenek Consulting, said this vulnerability allows attackers to relatively easily modify the underlying SIEM. The worst-case scenario could be disabling detections or removing logs during an active compromise of a victim environment.

“These devices should be heavily restricted in who can access them, including having strong network access controls,” said Bambenek. “However, the most important fix here is to patch these devices quickly because of their impact on security visibility for organizations.”

Nic Adams, co-founder and CEO at 0rucs, added that breaching FortiSIEM exposes an organization’s security logs to the threat actor — not a great situation to be in if your data could potentially get ransomed, deleted or tampered by a threat actor.

“These types of systems need to be very isolated from the rest of the environment, and ideally strong authenticated for all administrative access to help reduce exposure,” said Adams.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds