Fixing and finding
Jump to remediation plan
CVE ID

CVE-2025-58034

Published 2025-11-18
Updated 6 months ago
Vendor/s
Fortinet
Product/s
FortiWeb
Version/s
7.0.0 > 7.0.12
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
7.2
/ 10
High
Severity Details
Base score
7.2 High
Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Description

Fortinet FortiWeb is vulnerable to OS command injection (CVE-2025-58034). High severity and actively exploited. Update to versions 7.0.12+ or 8.0.2+.

CPE

Fortinet logo
Fortinet
Product Version Start Version End (excl.) Status
fortiweb 7.0.0 7.0.12 vulnerable
fortiweb 7.2.0 7.2.12 vulnerable
fortiweb 7.4.0 7.4.11 vulnerable
fortiweb 7.6.0 7.6.6 vulnerable
fortiweb 8.0.0 8.0.2 vulnerable

Related weakness (CWE)

CWE-78

Remediation plan

1

Apply official patches

Fortinet has released firmware updates to address this OS command injection flaw. Organizations should prioritize upgrading to FortiWeb versions 7.0.12, 7.2.12, 7.4.11, 7.6.6, 8.0.2, or later to eliminate the vulnerability.

2

Update affected systems

Identify and update all FortiWeb instances running vulnerable versions, including 7.0.x (up to 7.0.11), 7.2.x (up to 7.2.11), 7.4.x (up to 7.4.10), 7.6.x (up to 7.6.5), and 8.0.x (up to 8.0.1), to the latest secure firmware release.

3

Restrict access

Limit access to the FortiWeb management interface and CLI to trusted administrative networks only. Implement strong multi-factor authentication (MFA) and enforce strict role-based access control to reduce the risk of authenticated exploitation.

4

Monitor for exploitation

Review system logs for unusual CLI commands or suspicious HTTP requests targeting management endpoints. Look for unexpected outbound network connections from the FortiWeb appliance, which may indicate successful command injection or reverse shell activity.

Detection Guidance

Detection should focus on identifying anomalous administrative activity. Monitor FortiWeb audit logs for unusual shell commands or unexpected CLI usage by administrative accounts. Since the vulnerability involves crafted HTTP requests, inspect management interface logs for special characters such as semicolons, pipes, or backticks in input parameters. Additionally, monitor for unauthorized outbound traffic from the WAF appliance, which could signify post-exploitation command-and-control communication.

References

https://fortiguard.fortinet.com/psirt/FG-IR-25-513 Vendor Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58034 US Government Resource

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial