Full Report
Attackers may be joining the dots to enable unauthenticated RCE Fortinet has confirmed that another flaw in its FortiWeb web application firewall has been exploited as a zero-day and issued a patch, just days after disclosing a critical bug in the same product that attackers had found and abused a month earlier.…
Analysis Summary
# Vulnerability: FortiWeb OS Command Injection (Second 0-Day)
## CVE Details
- CVE ID: CVE-2025-58034
- CVSS Score: Not explicitly provided, but CISA listing and description suggest **High/Critical** severity.
- CWE: OS Command Injection (Implicit)
## Affected Systems
- Products: FortiWeb web application firewall
- Versions: Not explicitly listed, but implied all versions prior to the patch release.
- Configurations: Standard configurations susceptible to crafted HTTP requests or CLI commands.
## Vulnerability Description
CVE-2025-58034 is an OS command injection vulnerability within FortiWeb. It allows **authenticated attackers** to execute unauthorized code on the underlying operating system by submitting specially crafted HTTP requests or CLI commands.
*Note: This vulnerability is suspected to be chained with CVE-2025-64446 (an authentication bypass vulnerability) to achieve unauthenticated Remote Code Execution (RCE).*
## Exploitation
- Status: **Exploited in the wild**. Trend Micro reported around 2,000 detections. CISA has added it to their KEV catalog.
- Complexity: Implied **Medium** or **Low** given "indiscriminate in-the-wild exploitation" and the potential for chaining to bypass authentication.
- Attack Vector: Network (via HTTP request or CLI access).
## Impact
- Confidentiality: High (Potential for full system compromise leads to data exposure).
- Integrity: High (Unauthorized code execution grants administrative control).
- Availability: High (System takeover or disruption).
## Remediation
### Patches
- Updating FortiWeb devices to the most recent software version provided by Fortinet fixes this problem. (Specific version number not detailed in the text, but the latest available patch must be applied.)
### Workarounds
- No specific workarounds were detailed in the provided text, though applying the patch immediately is strongly advised, especially given CISA's 7-day deadline for federal agencies.
## Detection
- **Indicators of Compromise (IOCs):** Unknown specific IOCs mentioned, but forensic investigation should look for unusual execution of OS commands via HTTP requests or CLI inputs corresponding to the vulnerability pattern.
- **Detection Methods and Tools:** Monitoring web application traffic for anomalous HTTP payloads directed at input fields or CLI interfaces. Trend Micro research is a source for observations.
## References
- Vendor Advisory: hXXps://fortiguard.fortinet.com/psirt/FG-IR-25-513
- CISA KEV catalog entry: hXXps://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Related Flaw (Path Traversal): CVE-2025-64446 (FG-IR-25-910)