CISA Orders Agencies to Patch Critical Fortinet Flaw in 7 Days

The Cybersecurity and Infrastructure Security Agency (CISA) has mandated a seven-day deadline for all U.S. government agencies to patch a critical security vulnerability discovered in Fortinet’s FortiWeb web application firewall. This urgent directive follows confirmed zero-day attacks actively exploiting the flaw in the wild.

Identified as CVE-2025-58034, this security weakness is an OS command injection vulnerability. It enables authenticated attackers to execute arbitrary code with root-level system privileges. The attacks are considered low in complexity and do not require any interaction from a user to be successful.

Fortinet officially described the issue, stating that an improper neutralization of special elements in an OS command could permit an authenticated attacker to run unauthorized code. This can be triggered by sending specifically crafted HTTP requests or command-line interface commands to the vulnerable system.

Security researchers from Trend Micro, who originally discovered and reported the vulnerability, provided deeper technical insight. They explained that the flaw resides within the `policyscriptingpost_handler` method’s implementation. The core problem stems from the system’s failure to properly validate a user-supplied string before incorporating it into a system call. This oversight allows a threat actor to leverage the vulnerability and execute commands with the highest level of system authority, that of the root user.

CISA moved swiftly, adding this particular CVE to its Known Exploited Vulnerabilities Catalog on the same day Fortinet issued its advisory. Under the authority of Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch agencies must apply the necessary patches by Tuesday, November 25th.

The agency emphasized the serious nature of such vulnerabilities, labeling them as frequent attack vectors for malicious cyber actors. CISA warned that these flaws present a substantial risk to the entire federal enterprise. The compressed one-week remediation timeline was also linked to a separate, recently exploited FortiWeb flaw tracked as CVE-2025-64446, which Fortinet had quietly addressed in a late-October update without initial public disclosure. CISA subsequently added this second vulnerability to its catalog as well, ordering federal agencies to patch their systems by November 21st.

Media inquiries sent to Fortinet seeking additional comment on these specific security issues have not yet been answered.

This incident is part of a broader pattern concerning Fortinet products. Just a few months prior, in August, the company resolved another command injection vulnerability, CVE-2025-25256, in its FortiSIEM solution. This patch was released after security monitors observed a significant increase in brute-force attacks targeting Fortinet SSL VPNs.

Fortinet vulnerabilities are a prized target for advanced threat groups, frequently leveraged in cyber espionage campaigns and ransomware operations. A prominent example occurred earlier this year when Fortinet disclosed that a Chinese state-sponsored hacking collective, known as Volt Typhoon, had used two separate FortiOS SSL VPN flaws to infiltrate a military network belonging to the Dutch Ministry of Defence. That sophisticated attack involved the deployment of a custom-built remote access trojan named Coathanger.

(Source: Bleeping Computer)