A set of newly disclosed critical vulnerabilities in Fortinet products is raising serious cybersecurity concerns, with national CERT (Computer Emergency Response Team) authorities warning that attackers could remotely seize control of core security infrastructure without authentication. The most severe of these flaws affects FortiSIEM, Fortinet’s enterprise security management platform, and is already accompanied by public proof-of-concept exploits.
The remote code execution (RCE) flaw, tracked as CVE-2025-64155, allows attackers to execute arbitrary code on FortiSIEM appliances without any credentials or user interaction. If the management interface is exposed to a network, an attacker could take full control of the system. CERT analysts note that compromising FortiSIEM could enable attackers to manipulate logs, suppress alerts, erase traces of intrusion, and pivot deeper into enterprise networks undetected.
Other critical vulnerabilities affect multiple Fortinet products, including:
Together, these vulnerabilities represent a systemic risk to organizations relying on Fortinet systems for monitoring, protecting, and managing networks.
Successful exploitation of these flaws could allow attackers to:
CERT emphasizes that when security infrastructure itself is compromised, the defensive posture of an organization can collapse entirely.
The advisory outlines signs of compromise, such as unusual administrative activity, unexpected process behavior, unauthorized configuration changes, and access to stored credentials. Administrators are urged to monitor for unknown IP addresses accessing management interfaces.
The CERT message is clear: patching is urgent. Affected versions include FortiSIEM 6.x and 7.x, FortiOS 6.4 through 7.6, and multiple FortiSwitchManager and FortiFone models. Organizations are advised to apply official patches, rotate credentials, restart affected services, and review logs for signs of prior compromise.
For environments where immediate patching is not possible, temporary mitigations include IP whitelisting, network segmentation, VPN-only administrative access, and isolating vulnerable systems. However, these measures only reduce exposure and do not fully eliminate risk.
The incident highlights that security infrastructure itself is a target. Organizations should enforce least-privilege access, maintain audit logs, protect security systems with network defenses, forward logs off-device, and have incident response plans for appliance compromise. Immediate action patching, credential rotation, log review, and monitoring is critical to prevent full system takeover.