Fortinet SIEM issue coincides with spike in brute-force traffic against company’s SSL VPNs
Fortinet warned customers in an advisory Tuesday of a critical vulnerability in FortiSIEM, its security information and event management software, adding that “practical exploit code” for the defect exists in the wild.
The OS command injection vulnerability, CVE-2025-25256, has an initial CVSS score of 9.8 and could allow unauthenticated attackers to escalate privileges and execute code or commands. Active exploitation hasn’t been observed. Fortinet encouraged customers on affected versions of FortiSIEM to upgrade to the latest version available, and advised customers to limit access to the phMonitor port (7900) as a workaround.
The CVE designation and disclosure arrived on the heels of a GreyNoise threat report alerting defenders to a significant spike in brute-force traffic targeting Fortinet hardware, particularly its secure sockets layer (SSL) VPNs. GreyNoise said it observed more than 780 unique IPs attempting to brute force credentials against Fortinet SSL VPNs earlier this month.
GreyNoise research shows notable spikes in attacker activity against edge technologies often precede the disclosure of a new CVE in the targeted technology within six weeks. The pattern occurred across 4 in 5 cases analyzed by GreyNoise overall.
The threat intel company has specifically documented instances where spikes in malicious activity against Fortinet products correlate soon after with CVE disclosures affecting the same product.
“GreyNoise cannot confirm a direct causal link between the brute-force activity against Fortinet SSL VPNs and the disclosure of CVE-2025-25256 affecting FortiSIEM,” Noah Stone, head of content at GreyNoise Intelligence, told CyberScoop. “While the close timing between this spike and the CVE-2025-25256 disclosure is notable, it does not prove the two events are related.”
During the period of heightened activity earlier this month, “the observed traffic was also targeting our FortiOS profile, suggesting deliberate and precise targeting of Fortinet’s SSL VPNs,” Stone said in a blog post. “This was not opportunistic — it was focused activity.”
GreyNoise has observed 55 malicious IPs targeting Fortinet SSL VPNs in the past day. While researchers aren’t currently aware of exploitation, the presence of exploit code suggests that could change soon.
“The public release of practical exploit code typically accelerates exploitation in the wild, as it lowers the barrier for less sophisticated attackers,” Stone said.
Fortinet did not provide any details about the nature of the exploit code, or when and how it became aware of the vulnerability. Yet, in its advisory, the security vendor noted: “the exploitation code does not appear to produce distinctive indicators of compromise.”
Defects in Fortinet products pose a persistent risk for defenders and a recurring pathway for attackers to break into victim networks. The cybersecurity vendor did not respond to a request for comment.
The Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog contains 20 Fortinet defects dating back to 2021, including five so far this year. The majority of those flaws, including three added this year, have been used in ransomware attacks, according to CISA.
Edge technologies, including VPNs, firewalls and routers, harbored the four most frequently exploited vulnerabilities in 2024, according to Mandiant’s M-Trends report released earlier this year.
One of those defects, a SQL injection vulnerability in Fortinet’s FortiClient Endpoint Management Server — CVE-2023-48788 — was the fourth-most frequently exploited vulnerability across all of Mandiant’s incident response engagements last year.
Researchers at Darktrace said another Fortinet vulnerability — CVE-2024-47575, a defect affecting Fortinet’s network management tool — was among the six-most commonly exploited vulnerabilities it observed last year.
