A critical flaw in Fortinet FortiSIEM is under exploitation from threat groups, just days after release of a proof of concept. 

The vulnerability, tracked as CVE-2025-64155, involves an improper neutralization of special elements used in an operating system. An attacker would be able to execute unauthorized commands on a system. 

Fortinet released an advisory on the flaw on Tuesday, following disclosure from researchers at Horizon3.ai. Researchers at Defused reported exploitation attempts being picked up by their honeypots. 

Researchers said the flaw was the most recent of multiple vulnerabilities found in the phMonitor of FortiSIEM in recent years. The flaws were also found “within the same high-level function that dictates which storage mechanism was used,” which is the NFS or elastic, according to Zach Hanley, chief attack engineer at Horizon3.ai.

The prior vulnerabilities were tracked as CVE-2023-34992 and CVE-2024-23108. 

Fortinet has taken a number of measures to remediate these issues, but they appear to have fallen short. 

“While Fortinet has taken care to harden the attack surface against these types of bugs, their hardening has largely focused on the directly vulnerable components — not adjacent attack surfaces,” Hanley said. 

The flaws did not officially land on the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, but the threat group Black Basta referenced these flaws in uncovered chat logs, according to researchers. 

Fortinet officials were not immediately available for comment.