Fortinet, whose technologies are a popular target for attackers, has disclosed a critical, unauthenticated remote code execution vulnerability in its FortiSIEM platform. A proof-of-concept exploit for the flaw is already circulating in the wild, signaling the potential for imminent attacks.
Adding to the concern, researchers at GreyNoise have detected a sharp uptick in malicious activity targeting Fortinet SSL VPNs and the FortiManager centralized management platform that many organizations use for centralized device management. Such traffic in the past has often preceded the discovery and disclosure of new vulnerabilities in the affected products.
Unauthenticated Remote Attacks
The new vulnerability that Fortinet disclosed this week, CVE-2025-25256, is an OS command injection flaw that allows an unauthenticated remote attacker to run arbitrary code on affected systems via specially crafted command line interface (CLI) requests.
The flaw affects all FortiSIEM versions from 5.4 through 7.3.1. Fortinet has released updated versions of the products and has advised organizations to update or migrate to the fixed versions. The company also suggests that organizations limit access to the phMonitor port (7900) as a workaround. “Practical exploit code for this vulnerability was found in the wild,” the company cautioned.
Unfortunately for Fortinet customers, the flaw does not generate any distinctive indicators of compromise when exploited, making device compromise harder to detect.
Separately, GreyNoise, which monitors global Internet threat activity, this week reported a “significant” and recent spike in brute-force traffic directed against Fortinet SSL VPNs. The traffic emanated from as many as 780 unique IP addresses and appeared to be deliberate and precisely targeted rather than just opportunistic in nature.
An Ominous Behavior Shift?
The attacks have happened in two distinct waves. The first wave of brute-force attacks targeted FortiOS, the operating system running on Fortinet’s FortiGate next-generation firewall devices, many of which include SSL VPN functionality. The second wave showed markedly different behavior and targeted Fortinet’s FortiManager with the company’s proprietary FortiGate-to-FortiManager (FGFM) protocol.
“This indicated a shift in attacker behavior — potentially the same infrastructure or toolset pivoting to a new Fortinet-facing service,” GreyNoise said. What it means is that instead of targeting individual SSL VPN endpoints, attackers have begun focusing on breaching the centralized management infrastructure to gain access to multiple FortiGate devices.
According to GreyNoise, previous surges in similar activity that targeted Fortinet products were strongly correlated with vulnerability disclosures in the targeted technology shortly thereafter. “Spikes like this often precede the disclosure of new vulnerabilities affecting the same vendor — most within six weeks,” GreyNoise said. In fact, a startling 80% of the observed instances of similar traffic spikes was followed by a CVE disclosure.
For Fortinet customers, the new vulnerability and the reported surge in malicious traffic are particularly troubling. Attackers have gone after Fortinet products with a vengeance in recent years because of the privileged access the technologies provide to victim networks, once breached.
As Tenable pointed out in a blog this week, as many as 20 CVEs on the US Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) Catalog are Fortinet vulnerabilities. The most impactful among them, in the company’s opinion, includes CVE-2025-32756, a zero-day vulnerability that Fortinet patched in May after multiple threat groups had already begun exploiting it; CVE-2024-55591, an authentication bypass flaw in multiple Fortinet products that attackers also exploited as a zero-day; and CVE-2022-42475, a buffer-overflow bug that multiple threat actors, including nation-state backed groups, exploited. A more recent example is CVE-2025-24472, an authentication bypass flaw that allowed attackers to gain super-admin privileges on affected systems.
