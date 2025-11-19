Attackers are actively exploiting another FortiWeb vulnerability (CVE-2025-58034) that Fortinet fixed without making its existence public at the time.

About CVE-2025-58034

CVE-2025-58034 is an OS Command Injection flaw caused by improper neutralization of special elements. It allows authenticated attackers to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.

“Fortinet has observed this to be exploited in the wild,” the company’s Product Security Incident Response Team confirmed in a security advisory published on Tuesday.

CISA also added it to its Known Exploited Vulnerabilities catalog and ordered US federal civilian agencies to address it within a week.

CVE-2025-58034 was privately reported by Trend Micro researcher Jason McFadyen.

It affects FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11, and can be remediated by upgrading to FortiWeb 8.0.2, 7.6.6, 7.4.11, 7.2.12, or 7.0.12 (or above), respectively.

These fixed versions were released between October 23 and 31, 2025, with no mention of either CVE-2025-58034 or CVE-2025-64446, an authentication bypass flaw that was recently revealed to had been exploited by attackers for weeks beforehand.

It’s currently unclear whether CVE-2025-58034 was likewise exploited as a zero-day.

What to do?

The Dutch National Cyber Security Center (NCSC-NL) says it expects proof-of-concept (PoC) code or an exploit for CVE-2025-58034 to become publicly available soon and increase the risk of widespread abuse.

Organizations that use FortiWeb but have yet to upgrade to a fixed version should do it sooner rather than later, and check for evidence of compromise.

While CVE-2025-64446 can be temporarily addressed by disabling HTTP or HTTPS for internet facing interfaces, there’s no available workaround for CVE-2025-58034.

