Researchers are warning about an operating system command injection vulnerability in Fortinet FortiWeb just days after the company confirmed exploitation of a separate critical vulnerability that was quietly patched weeks before the company issued mitigation guidance.
The newly disclosed vulnerability, tracked as CVE-2025-58034, involves the improper neutralization of special elements used in an OS command in Fortinet FortiWeb.
The flaw in the web application firewall, which has a severity score of 6.7, allows an authorized attacker to execute code on a system by using crafted HTTP requests or CLI code.
In an advisory issued on Tuesday, Fortinet warned that the flaw has been exploited in the wild.
Trend Micro researchers said they discovered the flaw while they were researching an earlier security issue in the same product. The review found that “authenticated users could execute system commands through the web interface, which puts customers at risk of attackers taking control of the device and moving deeper into the network” if systems are not patched, Stephen Hilt, senior threat researcher at Trend Micro told Cybersecurity Dive.
The Cybersecurity and Infrastructure Security Agency on Tuesday added the command injection flaw to its Known Exploited Vulnerabilities catalog.
The company has been under fire from the security community after it issued a silent patch for CVE-2025-64446, a relative path traversal flaw in Fortinet FortiWeb. The company issued a patch for the flaw in late October, but did not publicly disclose the move until Friday, leaving security teams unaware.
Rapid7 researchers said it appears both vulnerabilities were patched in advance of disclosure and warned of the risk that attackers could chain the flaws together. Rapid7 Labs has been able to reproduce both vulnerabilities and was able to verify that the vulnerabilities, when operating in tandem, gives an attacker a fully unauthenticated RCE exploit chain, Stephen Fewer, senior principal researcher at Rapid7, told Cybersecurity Dive.
The fact that CVE-2025-58034 was reported as being exploited in the wild provides additional insight into the capabilities of the attackers.
“This confirmed that whoever was exploiting the authenticated vulnerability either had prior knowledge of existing administrator credentials or they had a suitable authentication bypass, and CVE-2025-64446 is a perfect fit to satisfy this requirement,” Fewer said.
GreyNoise researchers said its honeypots detected threat activity targeting CVE-2025-64446 within 72 hours of the flaw being added to the KEV catalog. A spike in exploit traffic was seen beginning on Monday.
Fortinet did not return a request for comment. The company last week said it was communicating with affected customers about how to address these security issues.