In August 2025, Fortinet announced a command injection vulnerability in FortiSIEM, identified as CVE-2025-25256. Further investigation led to the discovery of additional vulnerabilities, collectively labeled CVE-2025-64155, which include an unauthenticated argument injection allowing remote code execution and a privilege escalation flaw that can grant root access. The proof of concept for exploiting these vulnerabilities is available on GitHub. FortiSIEM, a security information and event management solution, has been the subject of previous research, with notable vulnerabilities like CVE-2023-34992 and CVE-2024-23108. Despite being discussed among the Black Basta ransomware group, these issues were not listed by CISA as known exploited vulnerabilities. The phMonitor service is central to FortiSIEM's architecture, exposing various command handlers without authentication, which has been exploited in past vulnerabilities. The analysis reveals that the phMonitor service processes incoming requests and is vulnerable due to improper handling of user-controlled input. While there are protections in place, an attacker can still manipulate the curl command used within the elastic_test_url.sh script to execute arbitrary commands. Specifically, by injecting the output flag with carefully formatted input, an attacker can write a reverse shell to a writable file that runs as the admin user. Further privilege escalation can be achieved by exploiting cron jobs that execute non-root scripts, ultimately leading to full compromise of the FortiSIEM appliance. The timeline of the vulnerability disclosure highlights a slow response from Fortinet's PSIRT, with initial reporting on August 14, 2025, and the advisory not released until January 13, 2026. The delays in addressing these vulnerabilities raise concerns about the security posture of FortiSIEM and the impact on its users.