Fortinet Warns of New FortiWeb Zero-Day Exploited in Attacks
Summary:
Fortinet has issued security updates to address a newly disclosed FortiWeb zero-day vulnerability (tracked as CVE-2025-58034) that is currently being actively exploited by threat actors. This flaw, reported by Trend Micro, is an OS Command Injection vulnerability that allows an authenticated attacker to execute unauthorized code on the underlying system with low complexity and no user interaction required, as stated by Fortinet. Fortinet has confirmed that this vulnerability is being exploited "in the wild," and administrators are urged to upgrade their FortiWeb devices immediately to the latest software patch.
This incident follows closely on the heels of Fortinet silently patching another massively exploited FortiWeb zero-day (CVE-2025-64446) on October 28th. Attackers in that campaign were reportedly using HTTP POST requests to create new admin-level accounts on vulnerable, internet-exposed devices. The U.S. CISA added CVE-2025-64446 to its exploited vulnerabilities catalog, mandating federal agencies secure their systems by November 21st. The pattern of exploitation against Fortinet products, including a previous FortiSIEM command injection flaw and past exploitation by groups like China's Volt Typhoon for espionage, reinforces the idea that their solutions are persistently targeted.
Security Officer Comments:
The immediate release of a patch for a FortiWeb zero-day (CVE-2025-58034) confirms an elevated and ongoing threat level targeting Fortinet’s Web Application Firewalls. This is the second confirmed, actively exploited FortiWeb zero-day in two weeks (following CVE-2025-64446), underscoring the Fortinet product line's attractiveness to adversaries. Given the history of Fortinet zero-days being leveraged for state-sponsored espionage and ransomware, organizations incorporating FortiWeb are especially vulnerable. The requirement of authentication for exploitation mitigates the risk slightly, but the confirmed in-the-wild exploitation means patching should be prioritized.
Suggested Corrections:
Suggested Corrections Recommendations by Version:
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortiweb-zero-day-exploited-in-attacks/
Fortinet has issued security updates to address a newly disclosed FortiWeb zero-day vulnerability (tracked as CVE-2025-58034) that is currently being actively exploited by threat actors. This flaw, reported by Trend Micro, is an OS Command Injection vulnerability that allows an authenticated attacker to execute unauthorized code on the underlying system with low complexity and no user interaction required, as stated by Fortinet. Fortinet has confirmed that this vulnerability is being exploited "in the wild," and administrators are urged to upgrade their FortiWeb devices immediately to the latest software patch.
This incident follows closely on the heels of Fortinet silently patching another massively exploited FortiWeb zero-day (CVE-2025-64446) on October 28th. Attackers in that campaign were reportedly using HTTP POST requests to create new admin-level accounts on vulnerable, internet-exposed devices. The U.S. CISA added CVE-2025-64446 to its exploited vulnerabilities catalog, mandating federal agencies secure their systems by November 21st. The pattern of exploitation against Fortinet products, including a previous FortiSIEM command injection flaw and past exploitation by groups like China's Volt Typhoon for espionage, reinforces the idea that their solutions are persistently targeted.
Security Officer Comments:
The immediate release of a patch for a FortiWeb zero-day (CVE-2025-58034) confirms an elevated and ongoing threat level targeting Fortinet’s Web Application Firewalls. This is the second confirmed, actively exploited FortiWeb zero-day in two weeks (following CVE-2025-64446), underscoring the Fortinet product line's attractiveness to adversaries. Given the history of Fortinet zero-days being leveraged for state-sponsored espionage and ransomware, organizations incorporating FortiWeb are especially vulnerable. The requirement of authentication for exploitation mitigates the risk slightly, but the confirmed in-the-wild exploitation means patching should be prioritized.
Suggested Corrections:
Suggested Corrections Recommendations by Version:
- Fortiweb 8.0 - Affects 8.0.0 through 8.0.1 - Upgrade to 8.0.2 or above
- FortiWeb 7.6 - Affects 7.6.0 through 7.6.5 - Upgrade to 7.6.6 or above
- FortiWeb 7.4 - Affects 7.4.0 through 7.4.10 - Upgrade to 7.4.11 or above
- FortiWeb 7.2 - Affects 7.2.0 through 7.2.11 - Upgrade to 7.2.12 or above
- FortiWeb 7.0 - Affects 7.0.0 through 7.0.11 - Upgrade to 7.0.12 or above
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortiweb-zero-day-exploited-in-attacks/