Fortinet Woes Continue With Another WAF Zero-Day Flaw
Summary
Fortinet has disclosed a second zero‑day in its FortiWeb web application firewall line: CVE-2025-58034. The flaw is an OS command injection that allows an authenticated attacker to execute code via crafted HTTP requests or CLI commands and has a CVSS score of 6.7. Trend Micro researchers reported detections while Rapid7 and Orange Cyberdefence have observed active exploitation campaigns and noted concerns about how multiple command‑injection fixes were bundled under a single CVE. Fortinet issued patches prior to public disclosure and CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue, recommending a shortened one‑week remediation window.
Key Points
- CVE-2025-58034 is an authenticated OS command injection in FortiWeb (CVSS 6.7).
- Fortinet patched the issue in FortiWeb versions 8.0.2, 7.6.6, 7.4.11, 7.2.12 and 7.0.12; update immediately if you run FortiWeb.
- CISA added the vulnerability to the KEV list and recommends a reduced one‑week remediation timeframe under its alert.
- Researchers warn attackers may chain this flaw with CVE-2025-64446 to achieve unauthenticated remote code execution; around 2,000 exploitation detections have been reported by Trend Micro.
- Rapid7 flagged that multiple fixes were applied across functions but only one CVE was assigned, which can hinder accurate detection and response.
- Mitigations include not exposing FortiWeb management interfaces to the Internet, monitoring for newly created accounts, and applying the vendor fixes without delay.
Why should I read this?
Short and blunt: this is active, it’s serious, and you should care now. CISA has put it on the KEV list with a one‑week patch expectation, researchers have reported thousands of detections, and attackers can potentially chain exploits. If your organisation uses FortiWeb, patch and lock down management access — pronto. We’ve done the legwork so you don’t have to trawl advisories.
Context and relevance
Edge devices like WAFs and VPNs are prime targets because a single compromised appliance can give broad access. This episode highlights two industry problems: (1) disclosure and patch timelines when vendors patch before public advisory, and (2) CVE assignment practices that may group multiple fixes under one identifier, complicating detection and remediation. For security teams, the takeaways are clear: prioritise patching, minimise public exposure of management interfaces, and monitor for chained exploitation techniques and anomalous account creation.