Week 48 – FortiWeb Pulls OS Commands Out of a Hat
14 – 30 Nov 2025
A newly disclosed and actively exploited FortiWeb vulnerability (CVE-2025-58034) allows authenticated attackers to execute arbitrary OS commands, posing a serious risk to organizations relying on the platform for critical web application protection.
Despite its medium-severity vulnerability (CVSS score of 6.7), the vulnerability is actively exploited and listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, making it a high-priority issue.
This is a type of OS Command Injection vulnerability in the different versions of FortiWeb, which is an Enterprise WAF solution from Fortinet to protect business-critical web applications and APIs from emerging web-based threats. This flaw allows an authenticated attacker to execute arbitrary operating system commands via crafted HTTP requests or CLI commands.
Root cause
- FortiWeb does not properly filter input for certain HTTP management API and CLI commands.
- User input (e.g. parameters) is passed to shell commands without escaping, allowing arbitrary OS commands with special characters and command sequences to be executed
Condition of the exploit
Authenticated access is required, typically an admin account compromise, weak password, or session theft. In other words, to successfully carry out the attack, an adversary must first authenticate using an alternative method and then leverage CVE-2025-58034 to execute arbitrary commands, inject malicious commands on the operating system.
Why is it critical in practice?
FortiWeb WAF devices are at the edge of the network → after a successful exploit, the attacker can:
- Disable WAF rules
- Create new admin accounts
- Pivot to internal network
- Full device compromise
In practice, this CVE-2025-58034 often becomes a Remote Code Execution (RCE) without authentication, when chained with CVE-2025-6444, which is a Path Traversal exploit and allows authentication bypass. The combination of these two exploits is often used.
Impact
Compromise of FortiWeb undermines perimeter defenses, exposing critical applications. Exploitation has been observed in the wild, with thousands of attempts reported.
Affected versions and released patches:
- FortiWeb 8.0.0 through 8.0.1 (Upgrade to 8.0.2 or above)
- FortiWeb 7.6.0 through 7.6.5 (Upgrade to 7.6.6 or above)
- FortiWeb 7.4.0 through 7.4.10 (Upgrade to 7.4.11 or above)
- FortiWeb 7.2.0 through 7.2.11 (Upgrade to 7.2.12 or above)
- FortiWeb 7.0.0 through 7.0.11 (Upgrade to 7.0.12 or above)
Workaround solutions:
- Management interface should not be exposed to the internet
- Strong passwords, MFA
- WAF rules: disallow suspicious characters (;, |, &&) in API calls
- Monitor the creation of new admin accounts
For More Information:
https://thehackernews.com/2025/11/fortinet-warns-of-new-fortiweb-cve-2025.html
https://nvd.nist.gov/vuln/detail/CVE-2025-58034
https://www.securityweek.com/fortinet-discloses-second-exploited-fortiweb-zero-day-in-a-week/
https://fortiguard.fortinet.com/psirt/FG-IR-25-513
White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024 and 2025.
With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.
They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.