Fortinet has confirmed that another flaw in its FortiWeb web application firewall has been exploited as a zero-day and issued a patch, just days after disclosing a critical bug in the same product that attackers had found and abused a month earlier.
The new bug, tracked as CVE-2025-58034, is an OS command injection vulnerability that allows authenticated attackers to execute unauthorized code on the underlying system using crafted HTTP requests or CLI commands. Updating FortiWeb devices to the most recent software version fixes the problem.
It seems highly likely these two vulnerabilities comprise an exploit chain for unauthenticated RCE
“Fortinet has observed this to be exploited in the wild,” the vendor said in a Tuesday security advisory that credited Trend Micro researcher Jason McFadyen with finding and reporting the vulnerability.
“Trend Micro has observed attacks in the wild using this flaw with around 2,000 detections so far,” Trend Micro senior threat researcher Stephen Hilt told The Register.
Meanwhile, the US Cybersecurity and Infrastructure Security Agency issued its own alert about the FortiWeb bug on Tuesday, adding it to its Known Exploited Vulnerability catalog and giving federal agencies just seven days to apply the patch. CISA usually sets a 15-day deadline to fix critical patches and a 30-day time limit for implementing high-severity bugs.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” America’s cyber defense agency warned.
Fortinet did not immediately respond to The Register‘s inquiries about the scope of exploitation, who is abusing CVE-2025-58034, and the consequences of attacks on the flaw. We will update this story if we receive a response from the vendor.
There’s also this question: Is this new FortiWeb bug related to last week’s disclosure? We’ve asked Fortinet about that, too.
Last Friday, Fortinet published a security advisory for a critical FortiWeb path traversal vulnerability (CVE-2025-64446) under active exploitation that allows unauthenticated attackers to execute administrative commands and take over vulnerable devices.
This flaw also didn’t have a CVE assigned to it until Friday, when the software company finally admitted to having “observed this to be exploited in the wild,” a month after third-party security sleuths warned of active exploitation.
“The watchTowr team is seeing active, indiscriminate in-the-wild exploitation,” watchTowr CEO and founder Benjamin Harris told The Register prior to Fortinet’s disclosure.
Fortinet’s Tuesday advisory didn’t note any connection between the two bugs, although using CVE-2025-64446, which allows authentication bypass, would be a useful step enabling exploitation of CVE-2025-58034, an authenticated command injection bug.
“Our research discovered this FortiWeb vulnerability while reviewing an older issue in the same product and found that authenticated users could execute system commands through the web interface, which puts customers at risk of attackers taking control of the device and moving deeper into the network if patches are not applied,” Trend Micro’s Hilt said.
As security firm Rapid7 noted in a technical analysis about Fortinet’s flaws, “several things stand out” and seemingly link the two vulnerabilities.
First, the timeline. Fortinet disclosed the two bugs just days apart.
“Both vulnerabilities were patched by the vendor in prior product updates and with no disclosure at the time of patching,” the analysis continued. “There is an obvious utility of chaining an authentication bypass to an authenticated command injection. Given all of these things, it seems highly likely these two vulnerabilities comprise an exploit chain for unauthenticated remote code execution against vulnerable FortiWeb devices.” ®