Wednesday, August 13, 2025
Latest:

Threatshub.org sponsored-Post

The Register

Fortinet discloses critical bug with working exploit code amid surge in brute-force attempts

TH Author

Fortinet warned customers about a critical FortiSIEM bug that could allow an unauthenticated attacker to execute unauthorized commands, and said working exploit code for the flaw has been found in the wild.

The OS-command-injection vulnerability, tracked as CVE-2025-25256, received a 9.8 CVSS rating and affects multiple versions of the security tool: 7.3.0-7.3.1, 7.2.0-7.2.5, 7.1.0-7.1.7, 7.0.0-7.0.3, and before 6.7.9. Customers need to upgrade to a fixed version and, as a workaround, the vendor suggests limiting access to the phMonitor port (7900).

An unauthenticated attacker can abuse this flaw by crafting a CLI request and then executing arbitrary commands on the operating system, which can allow complete system takeover. And, according to the security advisory, miscreants don’t even need to work very hard to do this, as “practical exploit code for this vulnerability was found in the wild.”

Fortinet did not respond to The Register‘s questions, including whether it was aware of any exploitation. 

The disclosure follows a warning from GreyNoise about a surge in brute-force traffic targeting Fortinet SSL VPNs. On Tuesday, the threat-intel biz said it observed a spike in these credential-abusing attempts against Fortinet on August 3, with more than 780 unique IPs attempting to gain unauthorized access. 

“Spikes like this often precede the disclosure of new vulnerabilities affecting the same vendor — most within six weeks,” GreyNoise Head of Content Noah Stone wrote. “In fact, GreyNoise found that spikes in activity triggering this exact tag are significantly correlated with future disclosed vulnerabilities in Fortinet products.”

After Fortinet’s Tuesday advisory about CVE-2025-25256, the brute-force attempts against the VPN products spiked again, but not to the August 3 level. At press time, GreyNoise had documented 56 IPs over the past 24 hours

“GreyNoise cannot confirm a direct causal link between the brute-force activity against Fortinet SSL VPNs and the disclosure of CVE-2025-25256 affecting FortiSIEM,” Stone told El Reg in an email. “Historical research shows a recurring pattern where spikes in malicious scanning or brute-forcing against a product are sometimes followed by vulnerability disclosures in that same product family. While the close timing between this spike and the CVE-2025-25256 disclosure is notable, it does not prove the two events are related.”

The August 3 brute-force surge marked “the highest single-day volume we’ve seen” in recent months, according to GreyNoise, which noted “two distinct waves” of traffic over a two-week window of Fortinet SSL VPN brute-force attempts.

Wave one involved a “long-running set of brute-force activity tied to a single TCP signature that remained relatively steady over time,” while the second wave was a “sudden and concentrated burst of traffic beginning August 5.” This one had a different TCP signature, and upon further investigation, the threat analysts noted a shift from FortiOS to FortiManager:

We’ve also asked Fortinet about the GreyNoise report, and will update this story if and when we receive any response. ®

READ MORE HERE