New FortiWeb Zero-Day Under Active Attack

CVE-2025-58034 is a command injection vulnerability in Fortinet’s FortiWeb Web Application Firewall. Disclosed on November 18, 2025, this vulnerability is actively being exploited in the wild. It allows authenticated attackers to remotely execute arbitrary commands on affected systems through specially crafted HTTP requests or CLI commands.

Severity: High

Vulnerability Details

• CVE: CVE-2025-58034
• CVSS Score: 7.2
• CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command – “OS Command Injection”)
• Description: The vulnerability lies in the failure to properly sanitize input used in OS command execution. FortiWeb’s management interface (both API and CLI) allows authenticated users to send commands that, if maliciously crafted, can escape intended boundaries and execute unauthorized commands directly on the underlying system.
• Affected & Fixed Versions:

Exploitation

• Preconditions:
  • Attacker must be authenticated (valid credentials required).
  • No user interaction required (low-complexity attack vector).
• Attack Vector: Remote, via crafted HTTP requests or CLI commands.
• Trend Micro has identified ~2000 attacks exploiting this vulnerability.
• Likely targets: Internet-facing FortiWeb instances with weak credential controls.

Recommendations

1. Immediately upgrade FortiWeb appliances to the fixed versions listed above.
2. Ensure the FortiWeb management interface is not exposed to the public internet or untrusted networks.

Source:

• https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortiweb-zero-day-exploited-in-attacks/
• https://fortiguard.fortinet.com/psirt/FG-IR-25-513
• https://nvd.nist.gov/vuln/detail/CVE-2025-58034

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.