Urgent FortiWeb Zero-Day Actively Exploited, Fortinet Warns
▼ Summary
– Fortinet has released security updates to patch a new zero-day vulnerability (CVE-2025-58034) in FortiWeb that is actively being exploited in attacks.
– This OS command injection flaw allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands without user interaction.
– Trend Micro has detected around 2000 instances of attacks exploiting this vulnerability in the wild.
– Administrators must upgrade their FortiWeb devices to the latest software versions to protect against exploitation.
– Fortinet recently confirmed it silently patched another exploited FortiWeb zero-day (CVE-2025-64446) and CISA has ordered federal agencies to secure systems by November 21.
A critical security vulnerability in FortiWeb web application firewalls is currently being exploited by attackers in active campaigns, prompting an urgent call for organizations to apply newly released patches. This zero-day flaw, identified as CVE-2025-58034, enables authenticated attackers to execute arbitrary operating system commands through manipulated HTTP requests or CLI commands. The issue, an OS command injection weakness, was discovered and reported by Jason McFadyen from Trend Micro’s research division.
Fortinet has officially confirmed that malicious actors are leveraging this vulnerability in real-world attacks. According to Trend Micro, their systems have already registered roughly 2,000 detections linked to exploitation attempts. The company’s security advisory stresses that the attack complexity is low and does not require any action from end-users, making it particularly dangerous for unpatched systems.
To protect networks, administrators must immediately update their FortiWeb appliances to the latest firmware versions. The affected versions and required upgrades are as follows: FortiWeb 8.0 users should move to version 8.0.2 or later; version 7.6 requires an upgrade to 7.6.6 or above; 7.4 installations must be updated to 7.4.11 or higher; 7.2 systems need version 7.2.12 or later; and 7.0 deployments should be upgraded to 7.0.12 or above.
This recent disclosure follows another serious FortiWeb zero-day, tracked as CVE-2025-64446, which Fortinet patched without public announcement on October 28. Threat intelligence firm Defused initially reported active exploitation of that vulnerability, noting that attackers used HTTP POST requests to create new administrator accounts on devices accessible from the internet. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added CVE-2025-64446 to its Known Exploited Vulnerabilities catalog, mandating all federal civilian agencies to remediate the issue by November 21.
Fortinet’s products have frequently been targeted in sophisticated cyber operations. Just this past August, the company addressed a separate command injection bug, CVE-2025-25256, in its FortiSIEM solution after public exploit code appeared online. That patch arrived shortly after GreyNoise reported a significant increase in brute-force attacks against Fortinet SSL VPNs.
Historically, vulnerabilities in Fortinet systems have been weaponized by advanced threat groups for espionage and ransomware attacks. In one notable incident from February, the Chinese state-sponsored actor Volt Typhoon exploited two FortiOS SSL VPN flaws, CVE-2022-42475 and CVE-2023-27997, to implant the custom Coathanger remote access trojan within a Dutch Ministry of Defence military network. These repeated incidents highlight the importance of maintaining timely security updates for all network infrastructure components.
(Source: Bleeping Computer)
