H3-2025-0053¶

Fortinet FortiSIEM Arbitrary File Write Remote Code Execution Vulnerability

Description¶

This vulnerability was discovered by Horizon3.ai researchers and responsibly disclosed to Fortinet as a 0-day. H3-2025-0053 (CVE-2025-64155) is a remote code execution vulnerability affecting Fortinet FortiSIEM. All versions of FortiSIEM are vulnerable. This vulnerability arises from a missing neutralization of user-supplied input to an unauthenticated API endpoint, allowing for arbitrary file creation on the FortiSIEM appliance.

Impact¶

Unauthenticated attackers with access to the FortiSIEM phMonitor service, listening by default on tcp/7900, can gain complete control of the vulnerable server, the ability to read integration secrets, and disrupt security operations.

References¶

• Horizon3 Researcher Writeup for CVE-2025-64155
• NVD: CVE-2025-64155 (Not Yet Published)