![Image Main](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEKdkwpYxJC7o2i7S9wnA23qyb2BohSBPoI9nZSfX-qt7bRgSwxhDKYeogidmxxGNCSI0l- l-cKj8eJsA4bDVEjsUAiQVmw8bK6ZTE7omWqq7kSP0L_DpCG23Q91NjEx-lrepVUjzwSKo2 _H6Ke4I-7XOPHZAiGYhdHB3eTOCG8S_ksc1SEJU4PchDAuSM/s790-rw-e365/fort.jpg)

Fortinet has issued a crucial security alert about a new vulnerability in its FortiWeb product (a web application firewall), confirming that the flaw is already being actively exploited by attackers. This vulnerability, classified as medium severity, requires immediate action by system administrators.

Vulnerability Details (CVE-2025-58034)

The security flaw, identified as CVE-2025-58034, has a CVSS score of 6.7. Fortinet describes it as a “Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)” vulnerability (CWE-78).

  • Impact: Allows an authenticated attacker to execute unauthorized code on the underlying system.
  • Attack Vector: The attacker can achieve the execution of operating system commands through malicious HTTP requests or CLI (Command Line Interface) commands.
  • Exploitation Prerequisite: The vulnerability requires the attacker to first obtain authenticated access to the system, which implies that successful exploitation could be chained with another access vector.

The vulnerability was reported by Trend Micro researcher Jason McFadyen through Fortinet’s responsible disclosure policy.

Fortinet has provided patches for all affected versions. Users are urged to update to the following versions to mitigate the risk of exploitation:

  • FortiWeb 8.0.0 to 8.0.1: Upgrade to version 8.0.2 or higher.
  • FortiWeb 7.6.0 to 7.6.5: Upgrade to version 7.6.6 or higher.
  • FortiWeb 7.4.0 to 7.4.10: Update to version 7.4.11 or higher.
  • FortiWeb 7.2.0 to 7.2.11: Update to version 7.2.12 or higher.
  • FortiWeb 7.0.0 to 7.0.11: Update to version 7.0.12 or higher.

Silent Patches Controversy

Fortinet’s announcement about CVE-2025-58034 coincides with a recent controversy over its handling of another critical vulnerability. Fortinet confirmed that it had quietly patched another critical FortiWeb vulnerability, CVE-2025-64446 (CVSS score of 9.1), in version 8.0.2, without issuing a public security advisory at the time.

  • Fortinet Rationale: A Fortinet spokesperson said the company “diligently balances our commitment to our customers’ security and our culture of responsible transparency.”
  • Criticisms: The practice of silent patching has been criticized by the cybersecurity community. VulnCheck noted that by not communicating new security issues, vendors “are issuing an invitation to attackers while choosing to keep that same information out of the hands of defenders.”

CISA Warning and Patch Deadline

The US Cybersecurity and Infrastructure Agency (CISA) has reacted quickly to the threat. CISA has added CVE-2025-58034 to its catalog of Known Exploited Vulnerabilities (KEV), underscoring the severity and active exploitation of the flaw.

CISA has directed the agencies of the Federal Civil Executive Branch (FCEB) to apply the corresponding patches no later than November 25, 2025.

Conclusion

The active exploitation of the CVE-2025-58034 vulnerability, combined with CISA’s KEV designation, raises the urgency of applying security patches to affected FortiWeb systems. Organizations should prioritize updating to the latest versions to mitigate the risk of command injection and protect against potential intrusions.

References

  • CVE-2025-58034: FortiWeb operating system command injection vulnerability.
  • CVE-2025-64446: Critical FortiWeb vulnerability quietly patched.
  • CISA KEV Catalog: CISA Known Exploited Vulnerabilities Catalog.