Fortinet FortiWeb Zero-Day Vulnerabilities Exploited in the Wild
Fortinet has disclosed two significant vulnerabilities in its FortiWeb product, CVE-2025-58034 and CVE-2025-64446, both of which have been actively exploited in the wild. The first, CVE-2025-58034, is a medium-severity OS command injection flaw that allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. The second, CVE-2025-64446, is a critical vulnerability that can be chained with the first to facilitate authentication bypass and further command injection. Fortinet has released patches in version 8.0.2 to address these issues, but the company has faced criticism for its handling and staggered disclosure of the flaws, with some suggesting the delay was to allow customers time to patch before publicizing the risks.
Security researchers, including Orange Cyberdefense, have observed several exploitation campaigns leveraging these vulnerabilities, raising concerns about the potential for widespread compromise of FortiWeb deployments. The U.S. CISA has added the new Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog, underscoring the urgency for organizations to apply the latest patches. The incidents highlight ongoing risks in supply chain and critical infrastructure security, as attackers increasingly target widely deployed security appliances with zero-day exploits.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Fake Prettier extension on VSCode Marketplace delivers Anivia Stealer
A malicious extension impersonating Prettier on the VSCode Marketplace was reported as distributing the Anivia Stealer malware. The campaign abused developer trust in a popular coding tool to infect users who installed the fake package.
Security Affairs reports active exploitation, breaches, and takedowns in weekly roundup
A weekly roundup published by Security Affairs summarized multiple late-November 2025 developments, including active exploitation of vulnerabilities in 7-Zip, Fortinet FortiWeb, Oracle Fusion Middleware, and Google Chrome V8; data breaches affecting several organizations; and international law-enforcement action against Russian bulletproof hosting infrastructure. Because the newsletter is a summary of many separate stories without specific event dates in the provided text, it is treated as a publication-level reporting event rather than broken into distinct timeline items.
NoName057(16) shifts DDoS campaign focus from Denmark to Sweden
During the week of 2025-11-17 to 2025-11-23, the pro-Russian hacktivist group NoName057(16) redirected its DDoSia-driven campaign toward Sweden. The group targeted Swedish government, transport, telecom, and public digital platforms while conducting more than 5,100 attacks across nine countries.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Fake Prettier Extension on VSCode Marketplace Dropped Anivia Stealer
hackread.com
Open sourceDDoSia Shifts Its Focus Toward Sweden: Weekly DDoSia Threat Intelligence
socradar.io
Open sourceSecurity Affairs newsletter Round 551 by Pierluigi Paganini – INTERNATIONAL EDITION
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Active Exploitation of FortiWeb OS Command Injection Vulnerabilities
Fortinet has disclosed multiple vulnerabilities in its FortiWeb web application firewall, including a critical OS command injection flaw tracked as CVE-2025-64446 and another actively exploited vulnerability, CVE-2025-58034. These vulnerabilities allow authenticated attackers to execute unauthorized code or commands on affected FortiWeb systems via crafted HTTP requests or CLI commands. Fortinet has observed exploitation of these flaws in the wild and has released security updates to address the issues, urging customers to upgrade to the latest versions to mitigate risk. The vulnerabilities impact several FortiWeb versions, and Fortinet has credited researchers from Trend Micro for responsible disclosure. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded by mandating that all federal civilian agencies patch CVE-2025-64446 within seven days, highlighting the severity and active exploitation of the bug. Security researchers have noted that attackers are using HTTP POST requests to create new admin-level accounts on exposed devices, and CISA has recommended disabling HTTP/HTTPS on internet-facing interfaces if immediate patching is not possible. Fortinet has communicated directly with affected customers and emphasized the importance of prompt remediation to prevent further compromise of FortiWeb deployments.
Mar 21, 2026
Active Exploitation of FortiWeb Command Injection Vulnerability (CVE-2025-58034)
Attackers are actively exploiting a command injection vulnerability in Fortinet FortiWeb, tracked as CVE-2025-58034, which allows authenticated users to execute unauthorized code on affected systems. The flaw, caused by improper neutralization of special elements in the `policy_scripting_post_handler` method, enables code execution as root via crafted HTTP requests or CLI commands. Fortinet released patches for affected FortiWeb versions between October 23 and 31, 2025, but did not publicly disclose the vulnerability at the time. The issue was privately reported by a Trend Micro researcher, and both Fortinet and CISA have confirmed active exploitation, with CISA adding the CVE to its Known Exploited Vulnerabilities catalog and mandating rapid remediation for US federal agencies. Security researchers warn that proof-of-concept code for CVE-2025-58034 may soon be publicly available, increasing the risk of widespread attacks. There is currently no workaround for this vulnerability, and organizations are urged to upgrade to the fixed FortiWeb versions immediately and check for signs of compromise. The vulnerability requires authentication to exploit, but successful exploitation grants attackers root-level access. The disclosure timeline shows the vulnerability was reported in June 2025 and publicly disclosed in November 2025, with coordinated advisories from both Fortinet and the Zero Day Initiative.
Mar 21, 2026
Fortinet FortiWeb Path Traversal Vulnerability CVE-2025-64446 Actively Exploited
A critical vulnerability, CVE-2025-64446, affecting Fortinet FortiWeb web application firewall devices has been actively exploited in the wild, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, present in FortiWeb versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.4, and earlier branches, allows unauthenticated remote attackers to bypass authentication and execute administrative commands via crafted HTTP or HTTPS requests. Attackers have leveraged this vulnerability to create unauthorized administrative accounts, such as "Testpoint" and "trader," enabling persistent and undetected access to affected systems. Fortinet has released patches in version 8.0.2 and equivalent updates, but exploitation continues against unpatched devices, exposing organizations to significant risk of compromise and data exposure. CISA's inclusion of CVE-2025-64446 in the KEV catalog underscores the urgency of remediation, especially for U.S. federal agencies, which have been mandated to patch vulnerable FortiWeb systems by November 21, 2025. The agency also strongly advises all organizations to prioritize remediation of this and other KEV-listed vulnerabilities to reduce exposure to active cyber threats. The vulnerability's exploitation highlights the ongoing risk posed by unpatched perimeter security devices and the importance of timely vulnerability management in defending against sophisticated attacks.
Mar 21, 2026