Active Exploitation of Fortinet FortiWeb OS Command Injection Vulnerability (CVE-2025-58034)
Fortinet has disclosed a critical OS command code injection vulnerability, identified as CVE-2025-58034, affecting FortiWeb products. Security advisories from both Fortinet and the Canadian Centre for Cyber Security confirm that an exploit for this vulnerability is active in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-58034 to its Known Exploited Vulnerabilities (KEV) Catalog, underscoring the significant risk posed to organizations using affected FortiWeb devices.
CISA recommends a reduced remediation timeframe of one week due to ongoing exploitation and urges all organizations, not just federal agencies, to prioritize patching this vulnerability. The vulnerability is a frequent attack vector for malicious actors, and immediate action is advised to mitigate the risk, including applying vendor updates and following best practices for securing internet-exposed management interfaces. Organizations are encouraged to review the official advisories and implement the necessary updates to protect their networks from active threats.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CISA adds CVE-2025-58034 to the KEV Catalog
CISA added CVE-2025-58034 to its Known Exploited Vulnerabilities Catalog after evidence of active exploitation. CISA set a one-week remediation timeframe for federal agencies and urged all organizations to prioritize patching.
Fortinet issues FortiWeb security advisory for CVE-2025-58034
Fortinet released a security advisory for CVE-2025-58034 affecting FortiWeb, described in the references as a FortiWeb OS command code injection vulnerability and related by Fortinet to a relative path traversal issue. The advisory was publicly available by November 18, 2025.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of FortiWeb OS Command Injection Vulnerabilities
Fortinet has disclosed multiple vulnerabilities in its FortiWeb web application firewall, including a critical OS command injection flaw tracked as CVE-2025-64446 and another actively exploited vulnerability, CVE-2025-58034. These vulnerabilities allow authenticated attackers to execute unauthorized code or commands on affected FortiWeb systems via crafted HTTP requests or CLI commands. Fortinet has observed exploitation of these flaws in the wild and has released security updates to address the issues, urging customers to upgrade to the latest versions to mitigate risk. The vulnerabilities impact several FortiWeb versions, and Fortinet has credited researchers from Trend Micro for responsible disclosure. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded by mandating that all federal civilian agencies patch CVE-2025-64446 within seven days, highlighting the severity and active exploitation of the bug. Security researchers have noted that attackers are using HTTP POST requests to create new admin-level accounts on exposed devices, and CISA has recommended disabling HTTP/HTTPS on internet-facing interfaces if immediate patching is not possible. Fortinet has communicated directly with affected customers and emphasized the importance of prompt remediation to prevent further compromise of FortiWeb deployments.
Mar 21, 2026
Active Exploitation of FortiWeb Command Injection Vulnerability (CVE-2025-58034)
Attackers are actively exploiting a command injection vulnerability in Fortinet FortiWeb, tracked as CVE-2025-58034, which allows authenticated users to execute unauthorized code on affected systems. The flaw, caused by improper neutralization of special elements in the `policy_scripting_post_handler` method, enables code execution as root via crafted HTTP requests or CLI commands. Fortinet released patches for affected FortiWeb versions between October 23 and 31, 2025, but did not publicly disclose the vulnerability at the time. The issue was privately reported by a Trend Micro researcher, and both Fortinet and CISA have confirmed active exploitation, with CISA adding the CVE to its Known Exploited Vulnerabilities catalog and mandating rapid remediation for US federal agencies. Security researchers warn that proof-of-concept code for CVE-2025-58034 may soon be publicly available, increasing the risk of widespread attacks. There is currently no workaround for this vulnerability, and organizations are urged to upgrade to the fixed FortiWeb versions immediately and check for signs of compromise. The vulnerability requires authentication to exploit, but successful exploitation grants attackers root-level access. The disclosure timeline shows the vulnerability was reported in June 2025 and publicly disclosed in November 2025, with coordinated advisories from both Fortinet and the Zero Day Initiative.
Mar 21, 2026
Active Exploitation of Fortinet FortiWeb Path Traversal Vulnerability (CVE-2025-64446)
A critical path traversal vulnerability in Fortinet FortiWeb, tracked as CVE-2025-64446, is being actively exploited in the wild. The flaw allows unauthenticated attackers to execute administrative commands on affected FortiWeb appliances by abusing the management API to reach internal endpoints. GreyNoise observed weaponization of this vulnerability within 72 hours of its disclosure, with coordinated scanning activity originating from multiple IPs and hosting providers, indicating a rapid and organized exploitation effort. The vulnerability affects FortiWeb versions 7.0 through 8.0, and exploit attempts have been detected using uniform TLS fingerprints, suggesting the use of automated tools. CISA added CVE-2025-64446 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch the flaw within a specified deadline. Another FortiWeb zero-day, CVE-2025-58034, was also disclosed and patched, but CVE-2025-64446 is noted as the more critical issue due to its unauthenticated attack vector and higher CVSS score. Security researchers emphasize the urgency of patching FortiWeb appliances to prevent unauthorized access and potential compromise, as exploitation is ongoing and targeting a broad range of organizations.
Mar 21, 2026