Security Intelligence
Loading table of contents...
At a glance: Threat actors are exploiting a newly disclosed FortiWeb OS command injection vulnerability, the second FortiWeb zero-day reported as exploited this week. Chaining would turn the two flaws into a remote unauthenticated exploit path. Field Effect MDR users will be alerted via ARO if vulnerable systems are detected in their environment.
Threat summary
On November 18, 2025, Fortinet published a security advisory disclosing CVE-2025-58034 (FG-IR-25-513), a vulnerability in FortiWeb that had been exploited in the wild prior to disclosure. This flaw was assigned a CVSS v3.1 score of 6.7, indicating medium severity.
The flaw is categorized as an operating system (OS) command injection vulnerability, which allows attackers to execute unintended OS commands. This occurs when user input is improperly handled and passed to the system shell or command line. If exploited, it can enable actions such as listing files, deleting data, or opening backdoors, depending on the system’s privileges.
This is the second FortiWeb zero-day reported as exploited within the same week. We previously reported on CVE-2025-64446, disclosed by Fortinet on November 14, a relative path traversal vulnerability [CWE-23] that may allow unauthenticated execution of administrative commands on the system via malicious HTTP or HTTPS requests.
Both CVE-2025-58034 and CVE-2025-64446 were addressed in the following FortiWeb versions:
- 7.0.12
- 7.2.12
- 7.4.11
- 7.6.6
- 8.0.2
Fortinet has not disclosed when exploitation of CVE-2025-58034 began or whether the threat actor has been identified. No workaround has been provided. The recommended mitigation is to upgrade to a fixed version of FortiWeb.
Analyst insight
Although this new vulnerability requires authentication to exploit, CVE-2025-64446 and CVE-2025-58034 could potentially be exploited together in a chained attack scenario. If a threat actor uses CVE-2025-64446 to gain admin access without credentials, they could then exploit CVE-2025-58034 to execute system commands with elevated privileges. This chaining would turn the two flaws into a remote unauthenticated exploit path, increasing the impact of the attack.
Fortinet has confirmed exploitation of both vulnerabilities in the wild two days apart, but has not publicly stated whether they were used together. Based on their nature and timing of the advisories, this is technically feasible and aligns with common attacker behavior.
FortiWeb appliances are advised to be treated as high-risk assets until patched or isolated. For organizations unable to patch immediately, limiting access to the FortiWeb management interface from untrusted networks can reduce exposure.
Field Effect MDR users will be alerted via ARO if vulnerable systems are detected in their environment.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
.jpg)
.jpg)