Urgent: Actively Exploited FortiWeb Flaw Patched (CVE-2025-58034)
▼ Summary
– Attackers are actively exploiting FortiWeb vulnerability CVE-2025-58034, which Fortinet patched without initially disclosing its existence.
– CVE-2025-58034 is an OS command injection flaw allowing authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands.
– CISA added this vulnerability to its Known Exploited Vulnerabilities catalog and required US federal agencies to address it within one week.
– The vulnerability affects multiple FortiWeb versions and can be fixed by upgrading to specific patched releases issued between October 23-31, 2025.
– There is no available workaround for CVE-2025-58034, and organizations are urged to upgrade immediately and check for compromise.
A newly discovered and actively exploited vulnerability within FortiWeb web application firewalls has been patched, requiring immediate attention from organizations using affected versions. Tracked as CVE-2025-58034, this security flaw is an OS command injection vulnerability that enables authenticated attackers to run arbitrary commands on the underlying system through specifically manipulated HTTP requests or CLI commands. Fortinet’s Product Security Incident Response Team has officially confirmed that malicious exploitation of this vulnerability is already occurring in real-world attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded by adding CVE-2025-58034 to its Known Exploited Vulnerabilities catalog. Federal civilian agencies have been directed to apply the necessary patches within one week. The vulnerability was originally discovered and privately reported by Jason McFadyen, a researcher from Trend Micro.
This security issue impacts multiple FortiWeb versions, specifically 8.0.0 through 8.0.1, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. To resolve the vulnerability, administrators must upgrade their systems to FortiWeb version 8.0.2, 7.6.6, 7.4.11, 7.2.12, or 7.0.12, or any later release. These patched versions were made available between October 23 and 31, 2025, though the updates were initially released without public mention of either CVE-2025-58034 or CVE-2025-64446, a separate authentication bypass flaw that attackers had already been exploiting for several weeks. It remains uncertain whether CVE-2025-58034 was also used as a zero-day before the patch was issued.
![Image of a server rack with network cables, representing enterprise security infrastructure.]
The Dutch National Cyber Security Center (NCSC-NL) has issued a warning that public release of proof-of-concept code or a functional exploit for CVE-2025-58034 is anticipated soon. Such a release would significantly raise the risk of widespread attacks. Organizations still running vulnerable FortiWeb versions are urged to upgrade immediately and conduct a thorough review of their systems for any signs of unauthorized access or compromise.
While the related CVE-2025-64446 authentication bypass can be temporarily mitigated by disabling HTTP or HTTPS services on internet-facing interfaces, no such workaround exists for CVE-2025-58034. The only reliable solution is applying the official patch without delay.
(Source: HelpNet Security)
