A critical pre-authentication command injection vulnerability (CVE-2025-25256) in Fortinet FortiSIEM allows remote attackers to execute arbitrary code via specially crafted XML payloads. The flaw affects multiple FortiSIEM versions and targets the phMonitor service on TCP port 7900, posing serious risks to enterprise security. Immediate patching and restricting access to the vulnerable service are strongly recommended to mitigate exploitation.