Active Exploitation of FortiWeb Command Injection Vulnerability (CVE-2025-58034)
Attackers are actively exploiting a command injection vulnerability in Fortinet FortiWeb, tracked as CVE-2025-58034, which allows authenticated users to execute unauthorized code on affected systems. The flaw, caused by improper neutralization of special elements in the policy_scripting_post_handler method, enables code execution as root via crafted HTTP requests or CLI commands. Fortinet released patches for affected FortiWeb versions between October 23 and 31, 2025, but did not publicly disclose the vulnerability at the time. The issue was privately reported by a Trend Micro researcher, and both Fortinet and CISA have confirmed active exploitation, with CISA adding the CVE to its Known Exploited Vulnerabilities catalog and mandating rapid remediation for US federal agencies.
Security researchers warn that proof-of-concept code for CVE-2025-58034 may soon be publicly available, increasing the risk of widespread attacks. There is currently no workaround for this vulnerability, and organizations are urged to upgrade to the fixed FortiWeb versions immediately and check for signs of compromise. The vulnerability requires authentication to exploit, but successful exploitation grants attackers root-level access. The disclosure timeline shows the vulnerability was reported in June 2025 and publicly disclosed in November 2025, with coordinated advisories from both Fortinet and the Zero Day Initiative.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Additional notice links CVE-2025-58034 with FortiWeb auth bypass issue
A subsequent notice discussed CVE-2025-58034 alongside CVE-2025-64446, highlighting FortiWeb command injection and authentication bypass risks together. This expanded public understanding of the broader FortiWeb security issues being tracked.
Public reports say CVE-2025-58034 is being exploited in the wild
Security reporting on November 19-20 stated that CVE-2025-58034 was under active exploitation as a zero-day affecting FortiWeb. Coverage described the bug as enabling OS command injection and remote code execution against exposed systems.
ZDI publishes advisory for FortiWeb remote code execution vulnerability
The Zero Day Initiative published advisory ZDI-25-1014 describing a Fortinet FortiWeb policy_scripting_post_handler command injection vulnerability that could lead to remote code execution. This marked a public technical disclosure of the flaw.
Fortinet patches FortiWeb command injection flaw CVE-2025-58034
Fortinet released fixes for CVE-2025-58034, a command injection vulnerability in FortiWeb's policy_scripting_post_handler component. Multiple later reports characterized the issue as stealth-patched before broader public attention.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Fortinet FortiWeb’s CVE-2025-58034: Command Injection Exploited in the Wild
thecyberthrone.in
Open sourceFortinet FortiWeb Authentication Bypass and Command Injection Vulnerability (CVE-2025-64446/CVE-2025-58034) Notice
securityboulevard.com
Open sourceFortiWeb CVE-2025-58034: Exploited Zero-Day Command Injection in WAF
foresiet.com
Open sourceStealth-patched FortiWeb vulnerability under active exploitation (CVE-2025-58034)
helpnetsecurity.com
Open sourceFortinet FortiWeb policy_scripting_post_handler Command Injection Remote Code Execution Vulnerability
zerodayinitiative.com
Open sourceCVE-2025-58034: New FortiWeb Zero-Day Exploited, Enables OS Command Injection
socradar.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of FortiWeb OS Command Injection Vulnerabilities
Fortinet has disclosed multiple vulnerabilities in its FortiWeb web application firewall, including a critical OS command injection flaw tracked as CVE-2025-64446 and another actively exploited vulnerability, CVE-2025-58034. These vulnerabilities allow authenticated attackers to execute unauthorized code or commands on affected FortiWeb systems via crafted HTTP requests or CLI commands. Fortinet has observed exploitation of these flaws in the wild and has released security updates to address the issues, urging customers to upgrade to the latest versions to mitigate risk. The vulnerabilities impact several FortiWeb versions, and Fortinet has credited researchers from Trend Micro for responsible disclosure. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded by mandating that all federal civilian agencies patch CVE-2025-64446 within seven days, highlighting the severity and active exploitation of the bug. Security researchers have noted that attackers are using HTTP POST requests to create new admin-level accounts on exposed devices, and CISA has recommended disabling HTTP/HTTPS on internet-facing interfaces if immediate patching is not possible. Fortinet has communicated directly with affected customers and emphasized the importance of prompt remediation to prevent further compromise of FortiWeb deployments.
Mar 21, 2026
Active Exploitation of Fortinet FortiWeb OS Command Injection Vulnerability (CVE-2025-58034)
Fortinet has disclosed a critical OS command code injection vulnerability, identified as CVE-2025-58034, affecting FortiWeb products. Security advisories from both Fortinet and the Canadian Centre for Cyber Security confirm that an exploit for this vulnerability is active in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-58034 to its Known Exploited Vulnerabilities (KEV) Catalog, underscoring the significant risk posed to organizations using affected FortiWeb devices. CISA recommends a reduced remediation timeframe of one week due to ongoing exploitation and urges all organizations, not just federal agencies, to prioritize patching this vulnerability. The vulnerability is a frequent attack vector for malicious actors, and immediate action is advised to mitigate the risk, including applying vendor updates and following best practices for securing internet-exposed management interfaces. Organizations are encouraged to review the official advisories and implement the necessary updates to protect their networks from active threats.
Mar 21, 2026
Active Exploitation of Fortinet FortiWeb Path Traversal Vulnerability (CVE-2025-64446)
A critical path traversal vulnerability in Fortinet FortiWeb, tracked as CVE-2025-64446, is being actively exploited in the wild. The flaw allows unauthenticated attackers to execute administrative commands on affected FortiWeb appliances by abusing the management API to reach internal endpoints. GreyNoise observed weaponization of this vulnerability within 72 hours of its disclosure, with coordinated scanning activity originating from multiple IPs and hosting providers, indicating a rapid and organized exploitation effort. The vulnerability affects FortiWeb versions 7.0 through 8.0, and exploit attempts have been detected using uniform TLS fingerprints, suggesting the use of automated tools. CISA added CVE-2025-64446 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch the flaw within a specified deadline. Another FortiWeb zero-day, CVE-2025-58034, was also disclosed and patched, but CVE-2025-64446 is noted as the more critical issue due to its unauthenticated attack vector and higher CVSS score. Security researchers emphasize the urgency of patching FortiWeb appliances to prevent unauthorized access and potential compromise, as exploitation is ongoing and targeting a broad range of organizations.
Mar 21, 2026