Multiple Vulnerabilities in Fortinet Products Enable Arbitrary Code Execution and Information Disclosure
Several Fortinet products, including FortiWeb, FortiClient, FortiExtender, FortiMail, FortiPAM, FortiSandbox, FortiADC, FortiVoice, FortiOS, and FortiProxy, have been found to contain multiple vulnerabilities, some of which could allow for arbitrary code execution. The most severe of these vulnerabilities, such as the FortiWeb RCE flaw (CVE-2025-58034), is under active exploitation and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Additionally, a vulnerability in FortiClient for Windows involving active debug code could allow a local attacker to retrieve saved VPN user passwords, posing a significant risk of information disclosure.
Security advisories urge organizations using affected Fortinet products to review available patches and mitigations immediately. The vulnerabilities impact a wide range of Fortinet's security and networking solutions, increasing the urgency for prompt remediation to prevent potential exploitation and compromise of sensitive assets.
Sources
Related Stories
Multiple Critical Vulnerabilities in Fortinet Security Products
Fortinet has disclosed several high-severity vulnerabilities affecting its security product lines, including FortiWeb, FortiVoice, and FortiSandbox. Notable issues include a cookie forgery vulnerability in FortiWeb (CVE-2025-64447) that allows unauthenticated attackers to execute arbitrary operations via forged cookies, provided they know the device's serial number, and an improper verification of cryptographic signatures in FortiWeb (CVE-2025-59719) that enables unauthenticated attackers to bypass FortiCloud SSO login authentication using crafted SAML responses. Additionally, FortiVoice is impacted by a path traversal vulnerability (CVE-2025-60024) permitting privileged authenticated attackers to write arbitrary files, and FortiSandbox suffers from an OS command injection flaw (CVE-2025-53949) that allows authenticated attackers to execute unauthorized code on the underlying system through crafted HTTP requests. All vulnerabilities are remotely exploitable and have been assigned high or critical CVSS scores, with the FortiWeb authentication bypass rated as critical (CVSS 9.8/10). Fortinet has released security advisories and patches for the affected versions, urging customers to update their systems promptly to mitigate the risk of exploitation. Security researchers and vendors have highlighted the urgency of these patches due to the potential for unauthenticated remote attacks and the critical role these products play in enterprise security architectures.
3 months agoActive Exploitation of FortiWeb OS Command Injection Vulnerabilities
Fortinet has disclosed multiple vulnerabilities in its FortiWeb web application firewall, including a critical OS command injection flaw tracked as CVE-2025-64446 and another actively exploited vulnerability, CVE-2025-58034. These vulnerabilities allow authenticated attackers to execute unauthorized code or commands on affected FortiWeb systems via crafted HTTP requests or CLI commands. Fortinet has observed exploitation of these flaws in the wild and has released security updates to address the issues, urging customers to upgrade to the latest versions to mitigate risk. The vulnerabilities impact several FortiWeb versions, and Fortinet has credited researchers from Trend Micro for responsible disclosure. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded by mandating that all federal civilian agencies patch CVE-2025-64446 within seven days, highlighting the severity and active exploitation of the bug. Security researchers have noted that attackers are using HTTP POST requests to create new admin-level accounts on exposed devices, and CISA has recommended disabling HTTP/HTTPS on internet-facing interfaces if immediate patching is not possible. Fortinet has communicated directly with affected customers and emphasized the importance of prompt remediation to prevent further compromise of FortiWeb deployments.
3 months agoActive Exploitation of Fortinet FortiWeb OS Command Injection Vulnerability (CVE-2025-58034)
Fortinet has disclosed a critical OS command code injection vulnerability, identified as CVE-2025-58034, affecting FortiWeb products. Security advisories from both Fortinet and the Canadian Centre for Cyber Security confirm that an exploit for this vulnerability is active in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-58034 to its Known Exploited Vulnerabilities (KEV) Catalog, underscoring the significant risk posed to organizations using affected FortiWeb devices. CISA recommends a reduced remediation timeframe of one week due to ongoing exploitation and urges all organizations, not just federal agencies, to prioritize patching this vulnerability. The vulnerability is a frequent attack vector for malicious actors, and immediate action is advised to mitigate the risk, including applying vendor updates and following best practices for securing internet-exposed management interfaces. Organizations are encouraged to review the official advisories and implement the necessary updates to protect their networks from active threats.
3 months ago