Fortinet ‘fesses up to second 0-day within a week
Summary
Fortinet has confirmed a second zero-day in its FortiWeb web application firewall — CVE-2025-58034 — an OS command injection that allows authenticated attackers to execute system commands via crafted HTTP requests or CLI commands. The vendor has released patches for affected FortiWeb versions. Trend Micro reports roughly 2,000 detections in the wild, and CISA has added the vulnerability to its Known Exploited Vulnerabilities catalogue with a seven-day remediation requirement for federal agencies.
This disclosure follows last week’s admission of a separate critical FortiWeb flaw (CVE-2025-64446) that enables authentication bypass. Security researchers and firms (including Rapid7 and Trend Micro) warn the two issues can be chained — using the bypass to reach the authenticated command injection — potentially yielding unauthenticated remote code execution against vulnerable devices.
Key Points
- CVE-2025-58034 is an OS command injection in FortiWeb allowing authenticated command execution; Fortinet has issued a patch.
- Trend Micro reports ~2,000 in-the-wild detections; Fortinet and other researchers confirm active exploitation.
- CISA listed the vulnerability and ordered federal agencies to apply the patch within seven days, signalling high urgency.
- Fortinet disclosed a separate critical FortiWeb bug (CVE-2025-64446) days earlier that can bypass authentication.
- Researchers assess the two flaws can be chained to achieve unauthenticated remote code execution against FortiWeb devices.
- Immediate actions: patch FortiWeb devices, review logs for suspicious activity, and isolate exposed appliances while you investigate.
Why should I read this?
Quick and blunt: if you run FortiWeb, this is hot and urgent. Two related bugs mean attackers can likely jump from a bypass to full command execution. There are patches, but detections and CISA’s rapid deadline show it’s being used in the wild — so patch now, check your logs, and lock down any exposed devices.
Author style
Punchy: This isn’t a routine patch note — treat it like an incident. If you’re responsible for perimeter defences, act immediately.