FortiSIEM Zero‑Day Exploited: Pre‑Auth Command Injection in phMonitor (TCP 7900)

Breaking News Summary

• A critical pre-authentication command injection, CVE‑2025‑25256, in FortiSIEM’s phMonitor service is being exploited with publicly circulating PoC code, enabling remote code execution via crafted XML over TCP port 7900 without any credentials. Immediate patching and network isolation are advised.fieldeffect+2

• Root cause is inadequate sanitization in ShellCmd::addParaSafe within phMonitor’s request handling, allowing backticks and $() to break out into shell commands; patched builds replace this routine with stricter parameterizers.hawk-eye+1

Technical Deep Dive

• Service and port: phMonitor is a C++ binary that monitors FortiSIEM processes and listens on TCP 7900, using a custom RPC protocol wrapped in TLS for message exchange.thehackernews+1

• Vulnerable path: The handler for storage archive requests processes XML fields and constructs OS commands; ShellCmd::addParaSafe only escaped quotes, failing to neutralize command substitution/backticks, leading to OS command injection pre‑auth.watchtowr+1

• Exploit shape: Attackers send a TLS‑wrapped message with a length header and an XML body where archive_nfs_archive_dir contains injected shell. Example patterns use backticks or $() to execute commands.trellix+1

• Sample XML element: <archive_nfs_archive_dir>id</archive_nfs_archive_dir> or <archive_nfs_archive_dir>touch${IFS}/tmp/pwn</archive_nfs_archive_dir>, embedded within the expected XML template for NFS archive configuration.trellix+1

• Preconditions: Exploit paths commonly require archive_storage_type=nfs and systems operating in Supervisor/Worker modes; hdfs mode not affected in the same way per research notes.hawk-eye

Detection Methods

• Network telemetry

  • Monitor inbound TLS connections to FortiSIEM hosts on TCP 7900 from non‑FortiSIEM peers; phMonitor typically communicates internally—external sources are suspicious.thehackernews+1

  • Create detections for anomalous message sizes and spikes in 7900 traffic volume, especially off‑hours, and new ASNs contacting 7900.vulncheck+1

• Content heuristics

  • If TLS interception is in place internally, pattern‑match XML containing archive_storage_type=nfs and archive_nfs_archive_dir with characters `, $, {, }, ( , ) indicative of injection attempts.thehackernews+1

• Host/EDR signals

  • Alert on shell spawns from the phMonitor process context, creation of unexpected files in /tmp by the phMonitor user, or outbound reverse shells following 7900 hits.hawk-eye+1

  • Hunt for indicators from public PoC runs: rapid successive 7900 requests followed by systemd service restarts or high CPU on the FortiSIEM node.trellix

Emergency Response Procedures

• Contain first

  • Immediately restrict 7900 to known Supervisor/Worker nodes via ACLs; block any external access at perimeter firewalls.fieldeffect+1

  • If compromise suspected, isolate FortiSIEM nodes from east‑west traffic; remember SIEM compromise can poison logging, so preserve volatile evidence quickly.secpod+1

• Patch and validate

  • Upgrade FortiSIEM to patched versions (7.3.2+ or 7.4 per vendor guidance) addressing CVE‑2025‑25256; legacy branches 5.4–7.3.1 are listed as affected by multiple advisories.secpod+1

  • Post‑patch, confirm that ShellCmd::addParaSafe code path is replaced by addHostnameOrIpParam/addDiskPathParam according to research verification, or verify build identifiers per vendor advisory.hawk-eye

• Forensics and hygiene

  • Review system logs for unexpected command execution tied to phMonitor PID, check /tmp and scheduler crons for persistence artifacts, rotate FortiSIEM credentials/API keys, and re‑enroll collectors.trellix+1

XML Payload Anatomy

• Header: Custom 16‑byte little‑endian header precedes XML; fields include a magic and payload length, then the XML body is sent over TLS to 7900.trellix

• Core fields: archive_storage_type set to nfs; archive_nfs_server_ip often 127.0.0.1 in PoCs; archive_nfs_archive_dir holds the injection string.hawk-eye+1

• Example template (conceptual):

  • <root><archive_storage_type>nfs</archive_storage_type><archive_nfs_server_ip>127.0.0.1</archive_nfs_server_ip><archive_nfs_archive_dir>{cmd}</archive_nfs_archive_dir><scope>local</scope></root>trellix

Network Segmentation Recommendations

• Isolate SIEM planes: Place FortiSIEM Supervisor/Workers in a management enclave with default‑deny inbound from non‑SIEM subnets; only allow required ports from collectors and admin jump hosts.fieldeffect+1

• Service‑to‑service allowlists: Limit TCP 7900 strictly to Supervisor↔Worker peers; block routing from user/workload VLANs to 7900 entirely.fieldeffect

• TLS and identity: Use mTLS internally for 7900 where supported, or constrain via firewall policies with device identity tags; log and alert on any policy exceptions.vulncheck+1

Patch Verification Steps

• Version check: Confirm upgrade to non‑affected builds (e.g., 7.3.2+ or 7.4) per vendor guidance, and verify binary timestamps of phMonitor match patched release.secpod+1

• Negative test: Attempt safe test payloads against 7900 in a lab; ensure archive_nfs_archive_dir no longer triggers command execution and is strictly validated.watchtowr+1

• Port exposure audit: Scan environment to ensure 7900 is not exposed outside SIEM enclave; validate ACLs and security groups.vulncheck+1

FAQ

• Is exploitation happening now?

  • Public PoC exists; advisories and researchers note in‑the‑wild exploitation or at least practical exploit availability—treat as actively exploitable.thehackernews+1

• Which versions are affected?

  • Multiple series from 5.4 up to 7.3.1 are reported affected; 7.3.2+ and 7.4 are indicated as remediated in advisories and analyses. Verify with vendor notes.secpod+1

• Any mitigations if patching is delayed?

• Restrict 7900 to trusted FortiSIEM peers only; block external access, monitor for phMonitor‑origin shells, and consider temporary IPS rules on 7900 patterns internally.fieldeffect+1