Fortinet has released an urgent security advisory addressing a newly discovered zero-day vulnerability, CVE-2025-58034, in its FortiWeb web application firewall platform, after evidence emerged of active exploitation in the wild.
The flaw, characterized as improper neutralization of special elements used in OS commands (CWE-78), enables authenticated attackers to execute unauthorized code or commands on targeted devices via crafted HTTP requests or through the platform’s CLI interface.
Security researchers, including Jason McFadyen from Trend Research at Trend Micro, are credited with responsibly reporting the vulnerability, which Fortinet published on November 18 alongside mitigation steps.
The vulnerability affects multiple versions, including FortiWeb 8.0 (up to 8.0.1), 7.6 (up to 7.6.5), 7.4 (up to 7.4.10), 7.2 (up to 7.2.11), and 7.0 (up to 7.0.11).
| FortiWeb Major Version | Affected Versions | Patched Version / Solution |
|---|---|---|
| 8.0 | 8.0.0 – 8.0.1 | Upgrade to 8.0.2 or above |
| 7.6 | 7.6.0 – 7.6.5 | Upgrade to 7.6.6 or above |
| 7.4 | 7.4.0 – 7.4.10 | Upgrade to 7.4.11 or above |
| 7.2 | 7.2.0 – 7.2.11 | Upgrade to 7.2.12 or above |
| 7.0 | 7.0.0 – 7.0.11 | Upgrade to 7.0.12 or above |
If exploited, attackers could gain the ability to run arbitrary code with system-level privileges, significantly compromising device integrity, potentially pivoting deeper into network environments, and modifying or disabling web protections.
The vulnerability is classified as medium severity with a CVSSv3 score of 6.7 according to Fortinet, though several external researchers have noted comparable path traversal flaws for FortiWeb this month carry critical scores due to unauthenticated access vectors.
Exploitation Observed in the Wild
Reports from security analysts and organizations such as Rapid7 and Defused have tracked in-the-wild exploitation since early October, including public postings of proof-of-concept code on underground forums.
Attacks have already targeted internet-facing FortiWeb panels, with successful exploitation enabling attackers to automate persistence using newly created administrator accounts.
Fortinet urges all affected users to upgrade to the available patches in 8.0.2, 7.6.6, 7.4.11, 7.2.12, and 7.0.12. Restrict management interface exposure and immediately audit existing admin accounts for unauthorized additions as additional mitigation.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
