Today, Fortinet released security updates to patch a new FortiWeb zero-day vulnerability that threat actors are actively exploiting in attacks.
Tracked as CVE-2025-58034, this web application firewall security flaw was reported by Jason McFadyen of Trend Micro’s Trend Research team.
Authenticated threat actors can gain code execution by successfully exploiting this OS command injection vulnerability in low-complexity attacks that don’t require user interaction.
“An Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands,” Fortinet said.
“Fortinet has observed this to be exploited in the wild,” the American cybersecurity company noted in a Tuesday security advisory.
To block incoming attacks, admins are advised to upgrade their FortiWeb devices to the latest available software released today.
| Version | Affected | Solution |
|---|---|---|
| FortiWeb 8.0 | 8.0.0 through 8.0.1 | Upgrade to 8.0.2 or above |
| FortiWeb 7.6 | 7.6.0 through 7.6.5 | Upgrade to 7.6.6 or above |
| FortiWeb 7.4 | 7.4.0 through 7.4.10 | Upgrade to 7.4.11 or above |
| FortiWeb 7.2 | 7.2.0 through 7.2.11 | Upgrade to 7.2.12 or above |
| FortiWeb 7.0 | 7.0.0 through 7.0.11 | Upgrade to 7.0.12 or above |
Last week, Fortinet also confirmed that it silently patched another massively exploited FortiWeb zero-day (CVE-2025-64446) on October 28, three weeks after the threat intel firm Defused first reported active exploitation.
According to Defused, attackers are using HTTP POST requests to create new admin-level accounts on Internet-exposed devices.
On Friday, CISA also added CVE-2025-64446 to its catalog of actively exploited vulnerabilities and ordered U.S. federal agencies to secure their systems by November 21.
BleepingComputer has reached out to Fortinet and Trend Micro with questions about these flaws, but we have yet to receive a response.
Earlier this year, in August, Fortinet patched another command injection vulnerability (CVE-2025-25256) with publicly available exploit code in its FortiSIEM security monitoring solution, one day after a report from cybersecurity company GreyNoise regarding a massive spike in brute-force attacks targeting Fortinet SSL VPNs.
Fortinet vulnerabilities are often exploited (often as zero days) in cyber espionage and ransomware attacks. For instance, Fortinet disclosed in February that the Chinese Volt Typhoon hacking group exploited two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) to backdoor a Dutch Ministry of Defence military network using custom Coathanger remote access trojan (RAT) malware.
Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.