Fortinet Warns of New FortiWeb Zero-Day Exploited in Attacks

ACTIONABLE | Severity: High | TLP: GREEN

Overview

Fortinet has released urgent security updates addressing a newly discovered FortiWeb zero-day vulnerability (CVE-2025-58034) that is currently being actively exploited in the wild. The flaw, reported by Trend Micro, is an OS Command Injection vulnerability allowing an authenticated attacker to execute arbitrary code on affected systems. This exploit requires no user interaction and poses a high risk to organizations using unpatched FortiWeb appliances.

This development follows closely after another major zero-day—CVE-2025-64446, patched silently on October 28 — which attackers abused to create new administrative accounts on internet-exposed FortiWeb instances. That vulnerability was later added to the CISA Known Exploited Vulnerabilities Catalog, requiring all federal agencies to remediate it by November 21.

The discovery of two exploited FortiWeb zero-days in as many weeks highlights the sustained targeting of Fortinet’s Web Application Firewalls (WAFs) by both cybercriminal and state-aligned threat groups.

Details of the Vulnerability

CVE-2025-58034 is an OS Command Injection issue affecting multiple FortiWeb versions. Attackers can exploit the vulnerability to gain unauthorized control over the underlying operating system, execute arbitrary commands, and pivot deeper into victim networks.

According to Fortinet:

“This vulnerability is being exploited in the wild. Administrators should upgrade affected FortiWeb systems immediately to mitigate potential compromise.”

While exploitation requires authentication, adversaries have historically paired credential-stuffing attacks, stolen service accounts, and prior footholds in Fortinet products to overcome that limitation.

This zero-day adds to a worrying trend of persistent exploitation across Fortinet’s security product line, including FortiSIEM command injection flaws and FortiGate vulnerabilities previously leveraged by groups such as China’s Volt Typhoon for espionage campaigns.

Analyst Commentary

Security analysts confirm that the emergence of CVE-2025-58034—just two weeks after CVE-2025-64446—signals a heightened and ongoing threat campaign against Fortinet’s WAF ecosystem.

The combination of:

• repeated exploitation of unpatched FortiWeb devices,

• prior evidence of state-sponsored interest in Fortinet products, and

• the low-complexity nature of this attack

underscores why organizations running these devices should treat patching as an immediate operational priority.

Even though authentication is required, exploitation “in the wild” suggests attackers are chaining this flaw with other access methods, making the window of exposure far smaller than it appears.

Affected Versions & Mitigation

Recommended Immediate Actions

• Apply the latest FortiWeb firmware updates as listed above.

• Review systems for indicators of compromise (IoCs) and unauthorized administrative accounts.

• Audit all VPN, WAF, and Fortinet management interfaces for exposure to the public internet.

• Implement strict credential hygiene and multi-factor authentication (MFA) for all administrative logins.

Alvaka Recommendations

The rapid succession of zero-days targeting Fortinet’s WAF technology demonstrates a sustained campaign focused on compromising perimeter defenses. Given the confirmed exploitation of CVE-2025-58034, organizations should treat patching as critical, perform full configuration audits, and remain vigilant for secondary intrusions stemming from these flaws.

Alvaka strongly recommends immediate patch deployment, continuous monitoring of Fortinet devices, and proactive incident response planning to mitigate ongoing risk.