The new year has brought old nightmares for network security teams relying on Fortinet. Hackers are actively striking a critical hole in the FortiSIEM platform mere days after its discovery. Security experts warn that threat groups are already using this flaw to break into corporate networks with alarming speed. The race to patch these systems is now a desperate sprint against time.
Hackers Exploit New Security Gap
The year 2026 started with a heavy blow to cybersecurity defenders. On January 13, Fortinet alerted the world to a massive problem within its FortiSIEM software. This product is vital because big companies use it to monitor their entire digital network for suspicious activity. The bug is officially named CVE-2025-64155 and it carries a severity score of 9.4 out of 10. That number tells you everything you need to know about how dangerous this is.
This specific vulnerability is a command injection flaw. In simple terms, it allows an attacker to send specific malicious commands to the server. The scary part is that the attacker does not need a username or password to do this. They can just walk right in through the digital front door if the system is not patched. Once inside, they can take total control of the server.
Just days after the announcement, the situation turned from bad to worse. Security researchers at Defused observed real hackers attacking this exact weak spot on the internet. This is not just a theoretical risk anymore. It is happening right now. The researchers set up digital traps known as honeypots to see who would bite. Almost immediately after the bug was made public, these traps started lighting up with malicious traffic.
The data shows that roughly 15 different groups are currently trying to break into these systems. The attacks are coming from various locations, but a significant portion of the traffic traces back to IP addresses in China. This follows a pattern seen in recent years where sophisticated groups target edge devices like firewalls and VPNs to gain a foothold in sensitive networks.
A Familiar Flaw in the System
This new vulnerability did not appear out of thin air. It was discovered by the team at Horizon3, specifically by an attack engineer named Zach Hanley. They did exactly what ethical hackers are supposed to do. They found the hole, proved it was real, and told the vendor so it could be fixed.
The problem lives in a specific part of the software called phMonitor. This is a background service that watches over other processes and directs traffic inside the application. The issue is that this service listens for commands on port 7900. Horizon3 found that the service was too trusting. It allowed anyone who could connect to that port to run commands meant only for administrators.
Horizon3 released a proof of concept to demonstrate the flaw. This is standard practice to help defenders understand what they are up against. However, bad actors also read these reports. Experts noticed that the code hackers are using to attack systems looks almost exactly like the code Horizon3 published. It appears the attackers simply copied the work of the researchers to launch their campaigns faster.
This is not the first time the phMonitor service has caused headaches for Fortinet. In previous years, researchers found other critical bugs in the exact same place. It seems that while the company fixed the old holes, the underlying architecture of this specific service remains fragile. It continues to present a tempting target for anyone looking to break in.
Why SIEM Tools Are Prime Targets
You might wonder why hackers care so much about this specific piece of software. A SIEM, or Security Information and Event Management system, is like the brain of a security operation center. It collects logs and data from everywhere else in the network. It knows about every user, every server, and every alert.
If a hacker controls your SIEM, they control the information you see. They can delete the logs that show their presence. They can steal credentials stored in the system. They can use the server as a powerful launchpad to attack other parts of your company. Compromising a FortiSIEM appliance is like stealing the master keys to the security office.
The current attacks involve command injection. This means the attacker sends a text command disguised as a normal request. The server gets confused and executes the command as if it were part of its own programming. Because the phMonitor service runs with high privileges, the attacker instantly gains those same high privileges.
Defused founder Simo Kohonen noted that this specific bug is getting more attention than usual. While many bugs get found every month, only a few attract this many different attackers this quickly. The speed at which these 15 different actors mobilized suggests they were waiting for an opportunity like this.
Urgent Actions for Administrators
The situation is critical, but there is a clear path forward. Fortinet has released updates to fix the problem. If your organization uses FortiSIEM, you need to check your version number immediately.
The following versions are confirmed to be vulnerable:
- FortiSIEM version 6.7
- FortiSIEM version 7.0
- FortiSIEM version 7.1
- FortiSIEM version 7.2
- FortiSIEM version 7.3
- FortiSIEM version 7.4
You must update to the latest patched version provided by Fortinet support. Do not wait for a scheduled maintenance window next month. This needs to happen now.
If you cannot patch immediately, there is a temporary fix. You can block traffic to port 7900. This is the specific digital doorway the attackers are using. By closing this port to the outside world, you stop the attack vector. However, patching is the only permanent solution and should be done as soon as humanly possible.
Security teams should also look at their logs for any strange activity coming from port 7900. Since the attackers are using known code, some of these attempts might be noisy and easy to spot if you are looking for them. Remember that these attackers are moving fast. The gap between a bug being revealed and a company getting hacked is shrinking every year.
Every moment you wait is a moment where your network is exposed. The attackers are automated, relentless, and they do not sleep. Your defense strategy needs to be just as active. Take this threat seriously and secure your infrastructure today.
How confident do you feel about the security of your network edge devices in 2026? It seems like every week brings a new critical alert. I want to hear your thoughts on how your team handles these rapid fire patching cycles. Share this story with your colleagues on social media to ensure they are aware of the risk.
