CISA Alerts To Active Exploitation Of Fortinet FortiWeb OS Command Injection Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical OS command injection vulnerability in Fortinet’s FortiWeb web application firewall to its Known Exploited Vulnerabilities (KEV) catalog.

This flaw, tracked as CVE-2025-58034, allows authenticated attackers to execute arbitrary code on affected systems through specially crafted HTTP requests or CLI commands.

Fortinet confirmed active exploitation in the wild, urging immediate patching to prevent unauthorized access and potential network compromise.​

Discovered by Trend Micro researchers, the vulnerability stems from improper neutralization of special elements in OS commands, classified under CWE-78.

It affects multiple FortiWeb versions and has a CVSS v3.1 base score of 6.7, rated as medium severity due to the need for authentication.

However, when combined with a related path traversal flaw (CVE-2025-64446), attackers can bypass authentication and achieve complete remote code execution without credentials.

Exploitation involves injecting shell metacharacters into API endpoints or CLI inputs, resulting in command execution on the FortiWeb appliance’s underlying Linux OS.

Successful attacks could enable attackers to install web shells, escalate privileges, or pivot to internal networks, posing risks to organizations using FortiWeb for web security.

Technical Breakdown

The core issue in CVE-2025-58034 lies in the FortiWeb management interface, where user-supplied input to diagnostic or configuration APIs fails to sanitize OS command elements properly.

For instance, an attacker with valid admin credentials could append commands such as “; rm -rf /” to a legitimate HTTP POST request to the API endpoint, tricking the system into running unauthorized shell commands.

This injection occurs because the backend processes user input via system() or similar functions without escaping special characters, such as semicolons, pipes, or ampersands.

Affected versions span several FortiWeb branches, as detailed in the table below, which highlights the vulnerability’s broad impact on deployments from 2020 onward:

Fortinet silently patched some versions earlier, but full disclosure came on November 18, 2025, alongside evidence of real-world attacks.

Telemetry from security firms like Rapid7 and Trend Micro shows over 2,000 global exploitation attempts, targeting exposed management interfaces in sectors including government, finance, and critical infrastructure.

Attackers, possibly including state-sponsored groups like Volt Typhoon, scan for vulnerable instances using tools like Shodan before attempting credential stuffing or chaining exploits.​

No public proof-of-concept code exists yet, but the low complexity requiring only authentication makes it attractive for opportunistic hackers.

When combined with CVE-2025-64446’s unauthenticated path traversal, the chain enables directory traversal to sensitive files or the execution of admin commands, amplifying the threat to unpatched devices.

Mitigation Strategies

Organizations must prioritize patching by CISA’s November 25, 2025, due date to comply with Binding Operational Directive 22-01.

Upgrade to the latest FortiWeb versions listed above, and restrict management interface access to trusted IP ranges using firewalls or VPNs.

Disable unnecessary CLI access and enable multi-factor authentication for admin accounts to hinder initial compromise.

Monitor logs for suspicious HTTP requests containing command patterns, such as anomalous API calls with base64-encoded payloads or unusual process spawns.

Tools like FortiAnalyzer or third-party SIEMs can detect injection attempts by flagging high-privilege executions from web interfaces.

If patching is delayed, apply workarounds, such as input validation rules in FortiWeb policies to block shell metacharacters, though this is not foolproof.

The rapid addition to CISA’s KEV underscores the urgency, as unmitigated flaws could lead to data breaches or ransomware deployment.

Fortinet’s history of targeted attacks highlights the need for vigilant vulnerability management in enterprise web defenses.