CVE-2025-58034
published 2025-11-18CVE-2025-58034: An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0…
PriorityP187high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-11-25
Exploited in the wild
EPSS
54.38%
98.9th percentile
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fortinet | — | — |
| fortinet | fortiweb | — | — |
| fortinet | fortiweb | >= 7.0.0 < 7.0.12 | 7.0.12 |
| fortinet | fortiweb | 7.0.2 – 7.0.11 | — |
| fortinet | fortiweb | >= 7.2.0 < 7.2.12 | 7.2.12 |
| fortinet | fortiweb | 7.2.0 – 7.2.11 | — |
| fortinet | fortiweb | >= 7.4.0 < 7.4.11 | 7.4.11 |
| fortinet | fortiweb | 7.4.0 – 7.4.8 | — |
| fortinet | fortiweb | >= 7.6.0 < 7.6.6 | 7.6.6 |
| fortinet | fortiweb | 7.6.0 – 7.6.4 | — |
| fortinet | fortiweb | >= 8.0.0 < 8.0.2 | 8.0.2 |
| msrc | cbl2_kernel_5.15.176.3-3_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
Fortinet FortiWeb Command Injection (CVE-2025-58034)
- →Trend Micro observed approximately 2000 in-the-wild detections of active exploitation; monitor FortiWeb devices for unexpected code execution or OS command activity originating from authenticated HTTP requests or CLI commands. ↗
- →Exploitation allows code execution as root via crafted HTTP requests or CLI commands; alert on unexpected root-level process spawning from FortiWeb web service processes. ↗
- ·CISA added CVE-2025-58034 to its Known Exploited Vulnerabilities Catalog; FCEB agencies were mandated to patch by November 25, 2025 under BOD 22-01. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck7.2HIGH
cisa7.2HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Fortinet FortiWeb OS Command Injection Vulnerability
cisa·2025-11-18·CVSS 7.2
CVE-2025-58034 [HIGH] CWE-78 Fortinet FortiWeb OS Command Injection Vulnerability
Vulnerability: Fortinet FortiWeb OS Command Injection Vulnerability
Affected: Fortinet FortiWeb
Fortinet FortiWeb contains an OS command Injection vulnerability that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://fortiguard.fortinet.com/psirt/FG-IR-25-513 ; https://nvd.nist.gov/vuln/detail/CVE-2025-58034
Remediation Due Date: 2025-11-25
Fortinet
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vul...
vendor_fortinet·2025-11-18·CVSS 7.2
CVE-2025-58034 [HIGH] CWE-78 An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vul...
FG-IR-25-513: An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vul...
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.
CVEs: CVE-2025-58034
CWEs: CWE-78
CVSS: 7.2 (high)
Affected products: FortiWeb, Fortinet
Microsoft
memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()
vendor_msrc·2025-02-11·CVSS 7.8
CVE-2024-58034 [HIGH] memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()
memory: tegra20-emc: fix an OF node reference bug in tegra_emc_find_node_by_ram_code()
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Linux: Linux
Customer Action Required: Yes
Remediation: CBL-Mariner Rel
GHSA
GHSA-47cr-8w72-ggmc: An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiWeb 8
ghsa_unreviewed·2025-11-18
CVE-2025-58034 [HIGH] CWE-78 GHSA-47cr-8w72-ggmc: An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiWeb 8
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.
VulnCheck
Fortinet FortiWeb OS Command Injection Vulnerability
vulncheck·2025·CVSS 7.2
CVE-2025-58034 [HIGH] CWE-78 Fortinet FortiWeb OS Command Injection Vulnerability
Fortinet FortiWeb OS Command Injection Vulnerability
Fortinet FortiWeb contains an OS command Injection vulnerability that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.
Affected: Fortinet FortiWeb
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://fortiguard.fortinet.com/psirt/FG-IR-25-513; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.acn.gov.it/portale/w/rilevato-sfruttamento-vulnerabilita-in-fortinet; https://www.recordedfuture.com/blog/november-2025-cve-landscape; https://www.loginsof
Suricata
ET WEB_SPECIFIC_APPS Fortinet FortiWeb OS Command Injection (CVE-2025-58034)
suricata·2025-12-31·CVSS 7.2
CVE-2025-58034 [HIGH] ET WEB_SPECIFIC_APPS Fortinet FortiWeb OS Command Injection (CVE-2025-58034)
ET WEB_SPECIFIC_APPS Fortinet FortiWeb OS Command Injection (CVE-2025-58034)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Fortinet FortiWeb OS Command Injection (CVE-2025-58034)"; flow:established,to_server; http.uri; content:"/api/v2.0/cmdb/user/saml-user"; fast_pattern; pcre:"/^.{1,10}(?:(?:\x2e|%(?:25)?2[Ee]){1,2}(?:\x2f|\x5c|%(?:25)?5[Cc]|%(?:25)?2[Ff]){1,}){2,}/R"; reference:url,www.pwndefend.com/2025/11/21/fortiweb-cve-2025-58034/; reference:cve,2025-58034; classtype:web-application-attack; sid:2066512; rev:1; metadata:affected_product FortiWeb, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_31, cve CVE_2025_58034, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_
Suricata
ET WEB_SPECIFIC_APPS Fortinet FortiWeb OS Command Injection (CVE-2025-58034)
suricata·2025-12-11·CVSS 7.2
CVE-2025-58034 [HIGH] ET WEB_SPECIFIC_APPS Fortinet FortiWeb OS Command Injection (CVE-2025-58034)
ET WEB_SPECIFIC_APPS Fortinet FortiWeb OS Command Injection (CVE-2025-58034)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Fortinet FortiWeb OS Command Injection (CVE-2025-58034)"; flow:established,to_server; http.uri; content:"/api/v2/cmdb/system/interface"; fast_pattern; http.request_body; content:"|22|name|22 3a|"; pcre:"/^\s*\x22[^\x22]*?(?:[\x3b\x24\x26\x60\x7c]|\x25(?:3[bB]|2[46]|60|7[cC]))/R"; content:"|22|vdom|22 3a|"; reference:url,github.com/Ashwesker/Blackash-CVE-2025-58034; reference:cve,2025-58034; classtype:web-application-attack; sid:2066282; rev:1; metadata:affected_product FortiWeb, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_11, cve CVE_2025_58034, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Mediu
Bleepingcomputer
Hackers now exploiting critical Fortinet FortiSIEM flaw in attacks
blogs_bleepingcomputer·2026-01-16·CVSS 9.8
CVE-2025-64155 [CRITICAL] Hackers now exploiting critical Fortinet FortiSIEM flaw in attacks
## Hackers now exploiting critical Fortinet FortiSIEM flaw in attacks
## Sergiu Gatlan
A critical Fortinet FortiSIEM vulnerability with publicly available proof-of-concept exploit code is now being abused in attacks.
According to security researcher Zach Hanley at penetration testing company Horizon3.ai, who reported the vulnerability ( CVE-2025-64155 ), it is a combination of two issues that allow arbitrary writes with admin permissions and privilege escalation to root access.
"An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests," Fortinet explained on Tuesday, when it released security updates to patch th
Bleepingcomputer
Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass
blogs_bleepingcomputer·2026-01-02·CVSS 9.8
CVE-2020-12812 [CRITICAL] Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass
## Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass
## Sergiu Gatlan
Over 10,000 Fortinet firewalls are still exposed online and vulnerable to ongoing attacks exploiting a five-year-old critical two-factor authentication (2FA) bypass vulnerability.
Fortinet released FortiOS versions 6.4.1, 6.2.4, and 6.0.10 in July 2020 to address this flaw (tracked as CVE-2020-12812 ) and advised admins who couldn't immediately patch to turn off username-case-sensitivity to block 2FA bypass attempts targeting their devices.
This improper authentication security flaw (rated 9.8/10 in severity) was found in FortiGate SSL VPN and allows attackers to log in to unpatched firewalls without being prompted for the second factor of authentication (FortiToken) when the username's case is cha
Bleepingcomputer
Fortinet warns of 5-year-old FortiOS 2FA bypass still exploited in attacks
blogs_bleepingcomputer·2025-12-29·CVSS 9.8
CVE-2020-12812 [CRITICAL] Fortinet warns of 5-year-old FortiOS 2FA bypass still exploited in attacks
## Fortinet warns of 5-year-old FortiOS 2FA bypass still exploited in attacks
## Sergiu Gatlan
Fortinet has warned customers that threat actors are still actively exploiting a critical FortiOS vulnerability that allows them to bypass two-factor authentication (2FA) when targeting vulnerable FortiGate firewalls.
Tracked as CVE-2020-12812 , this improper authentication security flaw was found in FortiGate SSL VPN and enables attackers to log in to unpatched firewalls without being prompted for the second factor of authentication (FortiToken) when changing the case of the username.
"This happens when two-factor authentication is enabled in the 'user local' setting, and that user authentication type is set to a remote authentication method (eg: ldap)," Fortinet explained when it patched th
Bleepingcomputer
Over 25,000 FortiCloud SSO devices exposed to remote attacks
blogs_bleepingcomputer·2025-12-19·CVSS 9.8
CVE-2025-59718 [CRITICAL] Over 25,000 FortiCloud SSO devices exposed to remote attacks
## Over 25,000 FortiCloud SSO devices exposed to remote attacks
## Sergiu Gatlan
Internet security watchdog Shadowserver has found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, amid ongoing attacks targeting a critical authentication bypass vulnerability.
Fortinet noted on December 9th, when it patched the security flaw tracked as CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb), that the vulnerable FortiCloud SSO login feature is not enabled until admins register the device with the company's FortiCare support service.
As cybersecurity company Arctic Wolf reported on Monday , the vulnerability is now actively exploited to compromise admin accounts via malicious single sign-on (SSO) logins.
Threat actors are abusing it i
Recorded Future
November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
blogs_recorded_future·2025-12-09·CVSS 8.8
CVE-2025-64446 [HIGH] November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
## November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
November 2025 saw a significant 69% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 10 vulnerabilities requiring immediate attention, down from 32 in October .
What security teams need to know:
Fortinet leads concerns: Two critical FortiWeb vulnerabilities (CVE-2025-64446 and CVE-2025-58034) are under active exploitation
LANDFALL spyware campaign: Threat actors weaponized Samsung's image processing flaw (CVE-2025-21042) for zero-click Android attacks
Public exploits proliferate: Seven of ten vulnerabilities have public proof-of-concept code available
OS Command Injection and Out-of-bounds Write were tied as the most common weakness types
Bottom line: The r
Bleepingcomputer
Fortinet warns of critical FortiCloud SSO login auth bypass flaws
blogs_bleepingcomputer·2025-12-09·CVSS 9.8
CVE-2025-59718 [CRITICAL] Fortinet warns of critical FortiCloud SSO login auth bypass flaws
## Fortinet warns of critical FortiCloud SSO login auth bypass flaws
## Sergiu Gatlan
Fortinet has released security updates to address two critical vulnerabilities in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that could allow attackers to bypass FortiCloud SSO authentication.
Threat actors can exploit the two security flaws tracked as CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb) by abusing improper verification of cryptographic signature weaknesses in vulnerable products via a maliciously crafted SAML message.
However, as Fortinet explained in an advisory published today, the vulnerable FortiCloud feature is not enabled by default when the device is not FortiCare-registered.
"Please note that the FortiCloud SSO login feature is no
Checkpoint
24th November – Threat Intelligence Report
blogs_checkpoint·2025-11-24
CVE-2025-58034 24th November – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 24th November – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 24th November, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The notorious “Scattered LAPSUS$ Hunters” group claimed responsibility for a supply-chain attack involving the Salesforce-integrated platform Gainsight. The group stated that data from 300 organizations was compromised, including Verizon, GitLab and Atlassian. Salesforce has confirmed unusual activity related to Gainsig
Bleepingcomputer
CISA gives govt agencies 7 days to patch new Fortinet flaw
blogs_bleepingcomputer·2025-11-19·CVSS 7.2
CVE-2025-58034 [HIGH] CISA gives govt agencies 7 days to patch new Fortinet flaw
## CISA gives govt agencies 7 days to patch new Fortinet flaw
## Sergiu Gatlan
CISA has ordered U.S. government agencies to secure their systems within a week against another vulnerability in Fortinet's FortiWeb web application firewall, which was exploited in zero-day attacks.
Tracked as CVE-2025-58034 , this OS command injection flaw can allow authenticated threat actors to execute code as root in low-complexity attacks that don't require user interaction.
"An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands," Fortinet said on Tuesday.
"The specific flaw exists within the imple
Bleepingcomputer
Fortinet warns of new FortiWeb zero-day exploited in attacks
blogs_bleepingcomputer·2025-11-18·CVSS 7.2
CVE-2025-58034 [HIGH] Fortinet warns of new FortiWeb zero-day exploited in attacks
## Fortinet warns of new FortiWeb zero-day exploited in attacks
## Sergiu Gatlan
Today, Fortinet released security updates to patch a new FortiWeb zero-day vulnerability that threat actors are actively exploiting in attacks.
Tracked as CVE-2025-58034 , this web application firewall security flaw was reported by Jason McFadyen of Trend Micro's Trend Research team.
Authenticated threat actors can gain code execution by successfully exploiting this OS command injection vulnerability in low-complexity attacks that don't require user interaction.
"An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests o
Recorded Future
November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
blogs_recorded_future·CVSS 5.4
CVE-2025-64446 [MEDIUM] November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
# November 2025 CVE Landscape: 10 Critical Vulnerabilities Show 69% Drop from October
November 2025 saw a significant 69% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 10 vulnerabilities requiring immediate attention, down from 32 in October.
What security teams need to know:
- Fortinet leads concerns: Two critical FortiWeb vulnerabilities (CVE-2025-64446 and CVE-2025-58034) are under active exploitation
- LANDFALL spyware campaign: Threat actors weaponized Samsung's image processing flaw (CVE-2025-21042) for zero-click Android attacks
- Public exploits proliferate: Seven of ten vulnerabilities have public proof-of-concept code available
- OS Command Injection and Out-of-bounds Write were tied as the most common weakness types
Bottom line: Th
Greynoiseio
NoiseLetter November 2025
blogs_greynoiseio
NoiseLetter November 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-11-18
Published
2025-11-18
Added to CISA KEV
Exploited in the wild