“The phMonitor service marshals incoming requests to their appropriate function handlers based on the type of command sent in the API request,” they said. “Every command handler is mapped to an integer, which is passed in the command message. Security issue #1 is that all of these handlers are exposed and available for any remote client to invoke without any authentication.”
Prior to the CVE-2025-64155 disclosure, Fortinet had already patched a related critical command injection flaw in FortiSIEM tracked as CVE-2025-25256 earlier in August 2025. That vulnerability also stemmed from improper handling of OS commands input and was significant enough that Fortinet acknowledged working exploit code in the wild, prompting fixes in multiple supported FortiSIEM releases.
Exploit code changes the risk equation
While Fortinet has released patches and mitigation guidance, Tenable’s analysis highlights the likelihood of real-world attacks as a working exploit code is now public.
“The recent disclosure of CVE-2025-64155 alongside public exploit code is a worrisome start to 2026,” said Scott Caveza, senior staff research engineer at Tenable. “Although no known exploitation has been reported, Fortinet vulnerabilities remain a top prize for attackers–including nation-state groups.”
