Fortinet Warns of Active Exploitation of New FortiWeb Vulnerability (CVE-2025-58034)

Fortinet has issued an alert about a newly discovered security flaw in FortiWeb, confirming that the vulnerability has already been exploited in real-world attacks. The flaw, tracked as CVE-2025-58034, is rated medium severity with a CVSS score of 6.7, but its impact becomes far more serious when combined with other vulnerabilities.

What the Vulnerability Is

According to Fortinet, CVE-2025-58034 is an OS command injection flaw caused by improper handling of special elements in system commands.

This means the attacker must already have some level of valid authentication, but once that hurdle is cleared, the flaw enables deeper access and system manipulation.

Affected Versions & Required Updates

Fortinet has released patches across multiple FortiWeb branches. Users should upgrade to the following fixed versions:

• FortiWeb 8.0.0 – 8.0.1 → Update to 8.0.2 or later

• FortiWeb 7.6.0 – 7.6.5 → Update to 7.6.6 or later

• FortiWeb 7.4.0 – 7.4.10 → Update to 7.4.11 or later

• FortiWeb 7.2.0 – 7.2.11 → Update to 7.2.12 or later

• FortiWeb 7.0.0 – 7.0.11 → Update to 7.0.12 or later

The flaw was responsibly reported by Jason McFadyen of Trend Micro.

A Larger Pattern: Silent Patching & Vulnerability Chaining

This disclosure comes shortly after Fortinet quietly patched another FortiWeb vulnerability — CVE-2025-64446, a critical authentication bypass rated 9.1 — without issuing an advisory at the time.

Security researchers at Orange Cyberdefense report seeing real exploitation campaigns where attackers chain the two vulnerabilities:

• CVE-2025-64446 → Authentication bypass

• CVE-2025-58034 → Authenticated command injection

Chaining the two results in unauthenticated remote code execution (RCE), allowing attackers full control of vulnerable devices.

Rapid7 noted the timing of the patch releases, the lack of initial disclosure, and the active exploit activity all strongly suggest these two flaws are being used together as part of a coordinated attack chain.

Why Silent Patching Matters

Fortinet has stated that its Product Security Incident Response Team (PSIRT) moved quickly to investigate and remediate the issue. However, the lack of immediate public advisories has raised concerns in the security community.

As VulnCheck explained:

Without timely advisories, organizations cannot properly assess risk or deploy protections before attackers strike.

CISA Adds CVE-2025-58034 to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) list, requiring all Federal Civilian Executive Branch agencies to patch by November 25, 2025.

Key Takeaways for Defenders

• Update FortiWeb systems immediately to the fixed versions.

• Assume exploitation is active and ongoing.

• Review logs and configurations for signs of exploitation attempts.

• Treat this as part of a larger exploit chain, not an isolated flaw.

• Monitor for future advisories, as more FortiWeb-related issues may surface.

These Fortinet vulnerabilities highlight how critical timely disclosure is — and how quickly attackers capitalize on gaps in communication.