CISA has ordered U.S. government agencies to secure their systems within a week against another vulnerability in Fortinet’s FortiWeb web application firewall, which was exploited in zero-day attacks.
Tracked as CVE-2025-58034, this OS command injection flaw can allow authenticated threat actors to gain code execution in low-complexity attacks that don’t require user interaction.
“An Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands,” Fortinet said on Tuesday.
The cybersecurity agency added the vulnerability to its Known Exploited Vulnerabilities Catalog the same day, giving Federal Civilian Executive Branch (FCEB) agencies until Tuesday, November 25th, to secure their systems against attacks as mandated by the Binding Operational Directive (BOD) 22-01.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned.
“With recent and ongoing exploitation events [..], a reduced remediation timeframe of one week is recommended,” it added, referring to a second FortiWeb flaw (CVE-2025-64446) exploited in zero-day attacks that Fortinet silently patched in late October.
On Friday, CISA also added the CVE-2025-64446 vulnerability to its catalog of actively exploited security flaws, ordering U.S. federal agencies to patch their devices by November 21st.
BleepingComputer has reached out to a Fortinet spokesperson with questions about these flaws, but we have yet to receive a response.
In August, Fortinet addressed another command injection vulnerability (CVE-2025-25256) in its FortiSIEM solution, following a GreyNoise report warning of a surge in brute-force attacks against Fortinet SSL VPNs.
Fortinet vulnerabilities are commonly exploited in cyber espionage and ransomware attacks. For instance, in February, Fortinet revealed that a Chinese hacking group tracked as Volt Typhoon exploited two FortiOS SSL VPN flaws to breach a Dutch Ministry of Defence military network using a custom remote access trojan (RAT) called Coathanger.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.