CVE-2025-58034: New FortiWeb Zero-Day Exploited, Enables OS Command Injection

[Update] FortiWeb’s CVE-2025-58034 Enters CISA’s Known Exploited Vulnerabilities

Fortinet has issued a new advisory confirming that a recently identified FortiWeb vulnerability, now tracked as CVE-2025-58034, is being exploited in real-world attacks. The flaw affects several supported FortiWeb versions and enables an authenticated attacker to run unauthorized system-level commands.

This blog breaks down the key facts: what the vulnerability is, which versions are affected, how attackers can abuse it, how it relates to the earlier FortiWeb issue CVE-2025-64446, and what organizations should do immediately.

What Is CVE-2025-58034?

CVE-2025-58034 (CVSS 6.7) is an OS command injection vulnerability caused by improper neutralization of user-controlled elements in both the API and CLI components of FortiWeb. In practice, it allows an attacker who already holds valid credentials to execute arbitrary operating system commands on the affected device.

The attack surface includes crafted HTTP requests or CLI commands. While the requirement for authentication reduces its reach compared to fully unauthenticated flaws, the ability to gain command execution on a security appliance still presents meaningful risk, especially if attackers combine it with other weaknesses that help them obtain credentials or privileged access.

Fortinet has confirmed that this issue is being exploited in the wild, elevating its urgency.

Which FortiWeb Versions Are Affected by CVE-2025-58034?

The vulnerability impacts multiple release branches. Fortinet advises upgrading to the minimal fixed versions listed below:

• FortiWeb 8.0: 8.0.0–8.0.1 → upgrade to 8.0.2 or later
• FortiWeb 7.6: 7.6.0–7.6.5 → upgrade to 7.6.6 or later
• FortiWeb 7.4: 7.4.0–7.4.10 → upgrade to 7.4.11 or later
• FortiWeb 7.2: 7.2.0–7.2.11 → upgrade to 7.2.12 or later
• FortiWeb 7.0: 7.0.0–7.0.11 → upgrade to 7.0.12 or later

How Can Attackers Exploit CVE-2025-58034?

To exploit this vulnerability, an attacker must first authenticate to the affected FortiWeb system. Once authenticated, they can send specifically crafted HTTP requests or invoke CLI commands that improperly pass user input into underlying OS functions.

This allows the attacker to:

• Execute arbitrary commands
• Modify system behavior
• Potentially pivot into deeper parts of a network if the appliance sits in a sensitive position

Although credential requirements limit opportunistic exploitation, threat actors often chain vulnerabilities – and attackers who gained administrative access through other FortiWeb flaws may attempt to leverage CVE-2025-58034 for broader impact.

How Does This Compare to the Recent FortiWeb Flaw CVE-2025-64446?

This new vulnerability arrives only days after attention focused on CVE-2025-64446 (CVSS 9.1), a critical path traversal and authentication bypass flaw that allowed attackers to create administrative accounts without credentials. That earlier issue was silently patched before Fortinet later issued an official advisory.

The key difference is:

• CVE-2025-64446 enables unauthenticated attackers to gain admin-level access.
• CVE-2025-58034 requires authentication but enables command execution once access is obtained.

For a deeper breakdown of CVE-2025-64446 and its exploitation activity, see our previous analysis: “FortiWeb Path Traversal Exploit (CVE-2025-64446) Actively Targeted: What You Need to Know”.

FortiWeb’s CVE-2025-58034 Enters CISA’s Known Exploited Vulnerabilities

CISA has officially added CVE-2025-58034, the FortiWeb OS command injection vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog following confirmation of active exploitation. According to the agency, this class of vulnerability is a frequent entry point for malicious cyber actors and poses a significant threat to federal networks when left unpatched.

Because of the ongoing exploitation activity and Fortinet’s recent advisory, CISA has assigned an accelerated remediation deadline of November 25, 2025, giving affected organizations one week to apply fixes. Federal civilian agencies must update to a patched FortiWeb release or implement approved compensating controls before the due date.

What Should Administrators Do to Reduce Risk?

Organizations running affected versions should act quickly. Key steps include:

• Upgrade immediately to the recommended fixed releases for your version branch.
• Review admin accounts for unexpected or recently created users.
• Examine logs for unusual HTTP requests or suspicious CLI activity.
• Restrict management access so the interface is reachable only from trusted internal networks or VPNs.
• Monitor for lateral movement or unexpected configuration changes on the device.

Applying patches and validating the integrity of administrative access paths are the most impactful actions.

Strengthen Your Defense with SOCRadar ASM and CTI

As organizations work to secure FortiWeb deployments against CVE-2025-58034 and other fast‑moving threats, maintaining visibility into emerging vulnerabilities and exposed assets is essential.

SOCRadar’s Cyber Threat Intelligence (CTI) module delivers enriched Vulnerability Intelligence that helps teams:

• Track high‑risk CVEs as they emerge
• Understand exploitation activity and related threat behaviors
• Prioritize remediation using contextual technical insights

Complementing CTI, SOCRadar’s Attack Surface Management (ASM) enables organizations to:

• Identify internet‑facing assets and outdated services
• Detect misconfigurations or unintended exposure
• Monitor infrastructure changes that may introduce new risk

Together, SOCRadar ASM and CTI provide the continuous external visibility needed to respond quickly and confidently to vulnerabilities.