6 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
OS Command Injection in Fortinet FortiWeb Appliances
CVSS Score: 7.2 (High, CVSS v3.1)
Identifier: CVE-2025-58034
Exploit or Proof of Concept (PoC):
This vulnerability is confirmed to be exploited in the wild. Attackers have used crafted HTTP/HTTPS requests to exploit the OS command injection flaw to execute unauthorized commands on FortiWeb appliances.
Update:
Fortinet has published an official PSIRT advisory addressing the vulnerability:
Affected firmware versions and required updates:
- FortiWeb 8.0.0 through 8.0.1 → upgrade to 8.0.2 or later
- FortiWeb 7.6.0 through 7.6.5 → upgrade to 7.6.6 or later
- FortiWeb 7.4.0 through 7.4.10 → upgrade to 7.4.11 or later
- FortiWeb 7.2.0 through 7.2.11 → upgrade to 7.2.12 or later
- FortiWeb 7.0.0 through 7.0.11 → upgrade to 7.0.12 or later
Administrators should verify their exact firmware branch and apply the correct patch immediately.
Description:
CVE-2025-58034 is a vulnerability in Fortinet FortiWeb appliances where improper neutralization of special characters in operating system command execution allows an authenticated attacker to execute arbitrary OS commands (CWE-78).
Mitigation Recommendation:
Identify all FortiWeb appliances (physical, virtual, cloud) and determine exposure, especially those accessible from the Internet.
Apply Fortinet's fixed firmware versions as described in the advisory linked above without delay.
If immediate patching is not possible:
Block management interface access (HTTP/HTTPS) from untrusted networks
Restrict management access to known, trusted administrative host IPs only
Review appliance logs for indicators of compromise including:
Unexpected command execution events
Unusual HTTP/HTTPS requests to management endpoints
Unauthorized changes to appliance configuration or rules
Monitor for outbound connections from FortiWeb appliances that are unrecognized or suspicious, which may indicate post-compromise activity.
