- Fortinet patched FortiWeb flaw CVE-2025-58034, allowing operating system command injection attacks
- Vulnerable versions span 7.0.0–7.0.11, 7.2.0–7.2.11, 7.4.0–7.4.10, 7.6.0–7.6.5, 8.0.0–8.0.1
- Actively exploited in the wild, with ~2000 attack attempts already detected
Fortinet has issued an urgent patch for a high severity vulnerability in FortiWeb that is apparently being abused.
FortiWeb is the company’s dedicated web application firewall (WAF), which is typically installed in front of a website or API and is designed to filter malicious traffic.
In a security advisory, Fortinet said Jason McFadyen of Trend Micro’s Trend Research found and revealed inadequate neutralization of special elements used in an operating system command failure, also known as ‘OS command injection.’ This bug, now tracked as CVE-2025-58034, allows unauthenticated threat actors to execute unauthorized code on the underlying system, via crafted HTTP requests or CLI commands. It was given a severity score of 7.2/10 (high) and said that it does not require user interaction to be exploited.
Thousands of attacks
Basically, an attacker who is already authenticated to a vulnerable FortiWeb could exploit CVE-2025-58034 to execute arbitrary operating system commands on the device via a crafted HTTP or CLI input, potentially gaining full control, installing backdoors, or moving laterally on the network.
Vulnerable versions include 7.0.0 through 7.0.11, 7.2.0 through 7.2.11, 7.4.0 through 7.4.10, 7.6.0 through 7.6.5, and 8.0.0 through 8.0.1. Fortinet urged its users to apply the fixes and bring their FortiWeb to versions that are not affected by the bug, especially since it is being actively exploited in the wild.
While the company did not reveal more details about the attacks in the advisory, it did say beepcomputer So far it has detected around 2,000 attack attempts.
Fortinet vulnerabilities are often exploited, even as zero-days, in cyber espionage and ransomware attacks, as seen in February 2025 when Chinese state-sponsored actor Volt Typhoon used two such flaws against a Dutch Ministry of Defense military network.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
