Active Exploitation of FortiWeb OS Command Injection Vulnerabilities
Fortinet has disclosed multiple vulnerabilities in its FortiWeb web application firewall, including a critical OS command injection flaw tracked as CVE-2025-64446 and another actively exploited vulnerability, CVE-2025-58034. These vulnerabilities allow authenticated attackers to execute unauthorized code or commands on affected FortiWeb systems via crafted HTTP requests or CLI commands. Fortinet has observed exploitation of these flaws in the wild and has released security updates to address the issues, urging customers to upgrade to the latest versions to mitigate risk. The vulnerabilities impact several FortiWeb versions, and Fortinet has credited researchers from Trend Micro for responsible disclosure.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded by mandating that all federal civilian agencies patch CVE-2025-64446 within seven days, highlighting the severity and active exploitation of the bug. Security researchers have noted that attackers are using HTTP POST requests to create new admin-level accounts on exposed devices, and CISA has recommended disabling HTTP/HTTPS on internet-facing interfaces if immediate patching is not possible. Fortinet has communicated directly with affected customers and emphasized the importance of prompt remediation to prevent further compromise of FortiWeb deployments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Fortinet confirms earlier exploited FortiWeb zero-day CVE-2025-64446
In coverage following the CVE-2025-58034 disclosure, Fortinet also acknowledged a second FortiWeb zero-day, CVE-2025-64446, that had been patched earlier and used by attackers to create admin-level accounts on exposed devices. This confirmation clarified that two separate FortiWeb vulnerabilities were under active exploitation.
Fortinet discloses and patches exploited FortiWeb flaw CVE-2025-58034
Fortinet published advisory FG-IR-25-513 for CVE-2025-58034, an authenticated OS command injection vulnerability in FortiWeb that can enable unauthorized code execution through crafted HTTP requests or CLI commands. The company released fixed versions and said the flaw had been exploited in the wild.
CISA orders federal agencies to patch exploited Fortinet flaw within 7 days
CISA added an exploited Fortinet FortiWeb vulnerability to its Known Exploited Vulnerabilities catalog and directed federal civilian agencies to remediate it within one week. The action signaled active exploitation and elevated urgency for defenders.
Fortinet silently patches FortiWeb flaw CVE-2025-64446
Before publicly discussing the issue, Fortinet released fixes for CVE-2025-64446, a critical FortiWeb vulnerability later described as actively exploited in the wild. Reporting characterized this as a silent patch because a full advisory was not initially issued alongside the fix.
Attackers begin exploiting FortiWeb path traversal flaw CVE-2025-64446
FortiWeb devices were reportedly targeted in global attacks beginning in early October 2025 via CVE-2025-64446, an unauthenticated path traversal vulnerability. The flaw allowed attackers to create administrator accounts on internet-exposed devices and fully compromise affected systems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Fortinet criticized for ‘silent’ patching after disclosing second zero-day vulnerability in same equipment
csoonline.com
Open sourceFortinet 'fesses up to second 0-day within a week
go.theregister.com
Open sourceNew FortiWeb zero-day CVE-2025-58034 under attack patched by Fortinet
securityaffairs.com
Open sourceCISA gives govt agencies 7 days to patch new Fortinet flaw
bleepingcomputer.com
Open sourceFortinet Woes Continue With Another WAF Zero-Day Flaw
darkreading.com
Open sourceMultiple OS command injection in API and CLI
fortiguard.fortinet.com
Open sourceFortinet warns of new FortiWeb zero-day exploited in attacks
bleepingcomputer.com
Open sourceCISA gives federal agencies one week to patch exploited Fortinet bug
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of FortiWeb Command Injection Vulnerability (CVE-2025-58034)
Attackers are actively exploiting a command injection vulnerability in Fortinet FortiWeb, tracked as CVE-2025-58034, which allows authenticated users to execute unauthorized code on affected systems. The flaw, caused by improper neutralization of special elements in the `policy_scripting_post_handler` method, enables code execution as root via crafted HTTP requests or CLI commands. Fortinet released patches for affected FortiWeb versions between October 23 and 31, 2025, but did not publicly disclose the vulnerability at the time. The issue was privately reported by a Trend Micro researcher, and both Fortinet and CISA have confirmed active exploitation, with CISA adding the CVE to its Known Exploited Vulnerabilities catalog and mandating rapid remediation for US federal agencies. Security researchers warn that proof-of-concept code for CVE-2025-58034 may soon be publicly available, increasing the risk of widespread attacks. There is currently no workaround for this vulnerability, and organizations are urged to upgrade to the fixed FortiWeb versions immediately and check for signs of compromise. The vulnerability requires authentication to exploit, but successful exploitation grants attackers root-level access. The disclosure timeline shows the vulnerability was reported in June 2025 and publicly disclosed in November 2025, with coordinated advisories from both Fortinet and the Zero Day Initiative.
Mar 21, 2026
Active Exploitation of Fortinet FortiWeb OS Command Injection Vulnerability (CVE-2025-58034)
Fortinet has disclosed a critical OS command code injection vulnerability, identified as CVE-2025-58034, affecting FortiWeb products. Security advisories from both Fortinet and the Canadian Centre for Cyber Security confirm that an exploit for this vulnerability is active in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-58034 to its Known Exploited Vulnerabilities (KEV) Catalog, underscoring the significant risk posed to organizations using affected FortiWeb devices. CISA recommends a reduced remediation timeframe of one week due to ongoing exploitation and urges all organizations, not just federal agencies, to prioritize patching this vulnerability. The vulnerability is a frequent attack vector for malicious actors, and immediate action is advised to mitigate the risk, including applying vendor updates and following best practices for securing internet-exposed management interfaces. Organizations are encouraged to review the official advisories and implement the necessary updates to protect their networks from active threats.
Mar 21, 2026
Fortinet FortiWeb Zero-Day Vulnerabilities Exploited in the Wild
Fortinet has disclosed two significant vulnerabilities in its FortiWeb product, CVE-2025-58034 and CVE-2025-64446, both of which have been actively exploited in the wild. The first, CVE-2025-58034, is a medium-severity OS command injection flaw that allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. The second, CVE-2025-64446, is a critical vulnerability that can be chained with the first to facilitate authentication bypass and further command injection. Fortinet has released patches in version 8.0.2 to address these issues, but the company has faced criticism for its handling and staggered disclosure of the flaws, with some suggesting the delay was to allow customers time to patch before publicizing the risks. Security researchers, including Orange Cyberdefense, have observed several exploitation campaigns leveraging these vulnerabilities, raising concerns about the potential for widespread compromise of FortiWeb deployments. The U.S. CISA has added the new Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog, underscoring the urgency for organizations to apply the latest patches. The incidents highlight ongoing risks in supply chain and critical infrastructure security, as attackers increasingly target widely deployed security appliances with zero-day exploits.
Mar 21, 2026