Critical vulnerability unveiled by Fortinet, armed with a functioning exploit code, amidst the spike in brute-force attacks
In the realm of cybersecurity, two significant threats have emerged recently, targeting Fortinet's Security Information and Event Management (SIEM) systems and SSL VPNs.
CVE-2025-25256: A Critical Threat to FortiSIEM
The vulnerability, CVE-2025-25256, is a critical OS-command-injection issue found in FortiSIEM. With a 9.8 CVSS rating, it allows unauthenticated remote attackers to execute arbitrary commands on the operating system, potentially leading to complete system takeover. Proof-of-concept (PoC) exploit code for this vulnerability is publicly available, making it actively exploited in the wild.
Fortinet has released patches for multiple FortiSIEM versions, but older versions no longer supported remain vulnerable. To mitigate this risk, it is strongly recommended to upgrade to a fixed version of FortiSIEM or implement access restrictions to the phMonitor service on TCP port 7900.
Brute-Force Attacks on Fortinet SSL VPNs
Concurrently, there has been a notable surge in brute-force attacks against Fortinet SSL VPNs. GreyNoise, a cyber threat intelligence firm, identified two distinct waves of Fortinet SSL VPN brute-force attempts over a two-week window. The first wave was tied to a single TCP signature that remained relatively steady over time, while the second wave, beginning August 5, was a sudden and concentrated burst of traffic with a different TCP signature.
On August 3, a significant spike in brute-force traffic was observed, with over 780 unique IPs attempting unauthorized access. After Fortinet's advisory about CVE-2025-25256, there was a spike in brute-force attempts against the VPN products, but not to the August 3 level, with 56 IPs documented over the past 24 hours.
However, it's important to note that GreyNoise did not confirm a direct causal link between the brute-force activity against Fortinet SSL VPNs and the disclosure of CVE-2025-25256 affecting FortiSIEM.
In light of these developments, it is crucial for Fortinet customers to harden their VPN credentials and maintain vigilance against brute-force attacks. Meanwhile, Fortinet is yet to respond to GreyNoise's report regarding these issues.
In summary:
- CVE-2025-25256: Actively exploited, critical OS command injection in FortiSIEM, PoC available, urgent patching recommended.
- Brute-force traffic: Significant and ongoing targeting of Fortinet SSL VPNs with credential attacks, possibly unrelated to CVE-2025-25256 but concerning.
- Mitigation: Patch FortiSIEM immediately, restrict access to phMonitor (port 7900), and harden VPN credentials due to brute-force risk.
- The emergence of CVE-2025-25256, a critical OS-command-injection vulnerability in FortiSIEM, has prompted the need for AI and cybersecurity technology to help identify and mitigate this actively exploited threat, with proof-of-concept exploit code publicly available.
- Amidst the increasing threat landscape, Fortinet's AI and cybersecurity technology must also address the surge in brute-force attacks against their SSL VPNs, as concurrent waves have been identified over a two-week period, potentially causing unauthorized access despite the recent advisory about CVE-2025-25256 affecting FortiSIEM.
