- Fortinet patched FortiWeb CVE-2025-58034, enabling operating system command injection attacks
- Vulnerable versions cover 7.0.0 to 7.0.11, 7.2.0 to 7.2.11, 7.4.0 to 7.4.10, 7.6.0 to 7.6.5, 8.0.0 to 8.0.1.
- Actively exploited in the wild, with around 2,000 attack attempts already detected
Fortinet has released an urgent patch for a high-severity vulnerability in FortiWeb that is apparently being abused.
FortiWeb is the company’s dedicated web application firewall (WAF), typically installed in front of a website or API and designed to filter malicious traffic.
In a security advisory, Fortinet said Jason McFadyen of Trend Micro, Trend Research, discovered and disclosed improper neutralization of special elements used in an operating system command flaw, also known as “OS command injection.” This bug, now identified as CVE-2025-58034, allows unauthenticated malicious actors to execute unauthorized code on the underlying system, via crafted HTTP requests or CLI commands. It received a severity score of 7.2/10 (high) and stated that to be exploited it does not require user interaction.
Thousands of attacks
Basically, an attacker already authenticated to a vulnerable FortiWeb could exploit CVE-2025-58034 to execute arbitrary operating system commands on the device via crafted HTTP or CLI input, potentially gaining full control, installing backdoors, or moving laterally within the network.
Vulnerable versions include 7.0.0 to 7.0.11, 7.2.0 to 7.2.11, 7.4.0 to 7.4.10, 7.6.0 to 7.6.5, and 8.0.0 to 8.0.1. Fortinet urged its users to apply the patches and bring their FortiWeb to versions not affected by the bug, especially since it is actively exploited in the wild.
Although the company did not disclose further details about the attacks in the advisory, it did say BeepComputer so far, around 2,000 attack attempts have been detected.
Fortinet vulnerabilities are often exploited, even as zero-days, in cyberespionage and ransomware attacks, as seen in February 2025 when Chinese state-sponsored Volt Typhoon used two of these flaws against a Dutch Defense Ministry military network.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
