[German]Is anyone among our readers responsible for administering Fortinet products? At the moment, there are indications that Fortinet SSL VPNs are being targeted worldwide via various IP addresses. Something may be brewing. At the same time, I have come across information that an actor is selling a 0-day RCE exploit. Well, there is a critical RCE vulnerability in FortySIEM. I'll gather some information.
Alleged Fortinet 0-day RCE exploit on sale in dark net
I came across the following tweet from security circles on X. The threat actor with the alias WISDOM is offering a Fortinet 0-day remote code exploit on the dark web for 0.5 bitcoins.
The bad actory claims that the 0-day exploit on offer enables remote code execution (RCE) on FortiOS VPN versions 7.4 to 7.6. According to the tweet, the offer includes a proof of concept (PoC) that is available to serious buyers with a deposit or an established reputation.
This is, for the time being, an unverifiable claim that remains unproven. One user responded to X that this offer seems somewhat suspicious, as the SSL VPN function was removed in Fortinet version 7.6. Therefore, there would have to be a vulnerability in the IPSEC VPN. However, this is not usually a viable attack surface for Fortinet version 7.4, as it is not used for RAS. I have to leave it at that, and I would not have picked up on it if there had not been another observation.
Attacks on Fortinet SSL VPNs/FortiManager observed
The following tweet contains information that over 780 malicious IP addresses were observed launching a coordinated brute force attack on Fortinet SSL VPNs a few hours ago.
In the middle of the campaign, however, the attackers shifted their target to FortiManager. Security researchers warn that this pattern often precedes a new CVE disclosure within a few weeks.
Another security provider responded to the above tweet, saying that these observed attacks were not just the usual noise. It looks like reconnaissance prior to intrusion into the IT networks of Fortinet customers. The advice given to administrators of Fortinet devices is that now is the time to check the patch levels of the instances, tighten or better secure VPN access, and watch out for unusual administrator activity.
Critical vulnerability in FortySIEM
There is a critical RCE vulnerability CVE-2025-25256 with a CVSS 3.1 score of 9.8 in FortySIEM, as reported by FortiGuard Labs here (via). Improper neutralization of special elements used in an operating system command ("OS command injection") causes a security vulnerability in FortiSIEM. The vulnerability could allow an unauthenticated attacker to execute unauthorized code or commands via specially crafted CLI requests.
The manufacturer reported that a practical exploit code for this vulnerability has been found in the wild. The recommendation is to restrict access to the phMonitor port (7900). The security advisory contains a list of affected FortiSIEM versions and an update on mitigation.
