Fortinet Warns of New FortiWeb Zero-Day Exploited in Attacks

Estimated reading time: 8 minutes

Key Takeaways:

  • Fortinet has issued a security advisory for a zero-day vulnerability (CVE-2025-58034) in its FortiWeb WAF product.
  • The vulnerability is an OS command injection flaw that is being actively exploited in the wild.
  • Administrators are urged to upgrade their FortiWeb devices to the latest available software versions immediately.
  • PurpleOps offers services to help organizations strengthen their cybersecurity posture and mitigate risks associated with such vulnerabilities.

Table of Contents:

On November 18, 2025, Fortinet issued a security advisory addressing a newly discovered zero-day vulnerability affecting its FortiWeb web application firewall (WAF) product. The vulnerability, identified as CVE-2025-58034, is already being actively exploited in the wild, posing a significant risk to organizations using affected FortiWeb versions.

Understanding the FortiWeb Zero-Day Vulnerability

CVE-2025-58034 is an OS command injection vulnerability. An authenticated attacker can exploit this flaw to execute unauthorized code on the underlying system. The attack does not require user interaction and is considered to have low complexity, making it easier for attackers to leverage.
The vulnerability stems from an improper neutralization of special elements used in an OS command. This allows attackers to inject malicious commands through crafted HTTP requests or CLI commands. Trend Micro’s Trend Research team discovered and reported the vulnerability. Trend Micro has observed attacks exploiting this flaw, with approximately 2000 detections recorded.
Fortinet has confirmed that they have observed in the wild exploitation of this vulnerability.

Alert screen showing FortiWeb zero-day vulnerability CVE-2025-58034

Affected Versions and Mitigation:

To address this critical vulnerability, Fortinet has released security updates for the following FortiWeb versions:
  • FortiWeb 8.0: Versions 8.0.0 through 8.0.1. Solution: Upgrade to 8.0.2 or above.
  • FortiWeb 7.6: Versions 7.6.0 through 7.6.5. Solution: Upgrade to 7.6.6 or above.
  • FortiWeb 7.4: Versions 7.4.0 through 7.4.10. Solution: Upgrade to 7.4.11 or above.
  • FortiWeb 7.2: Versions 7.2.0 through 7.2.11. Solution: Upgrade to 7.2.12 or above.
  • FortiWeb 7.0: Versions 7.0.0 through 7.0.11. Solution: Upgrade to 7.0.12 or above.
Administrators are urged to upgrade their FortiWeb devices to the latest available software versions immediately to mitigate the risk of exploitation.

A History of Fortinet Vulnerabilities

This is not the first time Fortinet products have been targeted by attackers exploiting zero-day vulnerabilities. Last week, Fortinet confirmed a silent patch for another massively exploited FortiWeb zero-day (CVE-2025-64446) on October 28, three weeks after Defused, a threat intelligence firm, first reported active exploitation. This vulnerability allowed attackers to create new admin-level accounts on Internet-exposed devices using HTTP POST requests. CISA added CVE-2025-64446 to its catalog of actively exploited vulnerabilities and ordered U.S. federal agencies to secure their systems.
In August 2025, Fortinet patched a command injection vulnerability (CVE-2025-25256) in its FortiSIEM security monitoring solution after a report from GreyNoise indicated a surge in brute-force attacks targeting Fortinet SSL VPNs.
Fortinet vulnerabilities are frequently exploited in cyber espionage and ransomware attacks. In February 2025, Fortinet disclosed that the Chinese Volt Typhoon hacking group exploited two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) to backdoor a Dutch Ministry of Defence military network using custom Coathanger remote access trojan (RAT) malware. This highlights the potential for significant damage when these vulnerabilities are exploited.

Practical Takeaways and Actionable Advice:

  • Immediate Patching: The most critical step is to immediately patch all affected FortiWeb devices to the latest available versions.
  • Web Application Firewall Hardening: Review and harden your WAF configuration to ensure it is effectively blocking common attack vectors. Consider leveraging cyber threat intelligence platform data to proactively block malicious IPs and patterns.
  • Monitor for Suspicious Activity: Closely monitor FortiWeb logs for any unusual activity, especially HTTP requests or CLI commands that could indicate exploitation attempts. Use a breach detection system to identify any unauthorized access or changes to your systems.
  • Principle of Least Privilege: Ensure that users only have the necessary privileges to perform their tasks. Limit administrative access to only those who require it.
  • Network Segmentation: Implement network segmentation to limit the blast radius of a potential breach.
  • Incident Response Plan: Ensure that you have an incident response plan in place that is regularly tested and updated. The plan should outline the steps to take in the event of a successful attack, including containment, eradication, and recovery.
  • Supply-Chain Risk Monitoring: Integrate supply-chain risk monitoring into your overall security posture to stay informed about vulnerabilities and threats affecting your vendors and partners.

Relevance to PurpleOps Services:

PurpleOps offers a suite of services to help organizations strengthen their cybersecurity posture and mitigate the risks associated with vulnerabilities like CVE-2025-58034. These services include:
  • Cyber Threat Intelligence: PurpleOps provides a cyber threat intelligence platform, offering real-time ransomware intelligence and dark web monitoring service to help organizations stay ahead of emerging threats and proactively defend against attacks. Our telegram threat monitoring and underground forum intelligence capabilities can identify discussions and plans related to exploiting vulnerabilities like this one.
  • Breach Detection: PurpleOps’ breach detection capabilities can help organizations identify and respond to successful attacks quickly, minimizing the damage.
  • Red Team Operations and Penetration Testing: PurpleOps offers red team operations and penetration testing services to identify vulnerabilities in your systems and applications before attackers can exploit them.
  • Supply Chain Information Security: PurpleOps can help you assess and manage the security risks associated with your supply chain, ensuring that your vendors and partners are also taking adequate steps to protect your data.
  • Dark Web Monitoring: PurpleOps’ dark web monitoring service can detect if your organization’s credentials or sensitive data have been exposed on the dark web, allowing you to take proactive steps to mitigate the risk of identity theft and fraud.
  • Brand Leak Alerting: PurpleOps’ brand leak alerting service can help you identify and respond to instances of your brand being used in phishing campaigns or other malicious activities.
  • Protect Ransomware: PurpleOps’ ransomware protection services, including live ransomware API, can help you prevent ransomware attacks and minimize the impact if one does occur.
The recent Fortinet FortiWeb zero-day vulnerability underscores the need for organizations to remain proactive in their cybersecurity efforts. Patching systems promptly, monitoring for suspicious activity, and implementing robust security controls are essential steps to protect against these types of attacks. Leveraging threat intelligence and vulnerability management services can further enhance an organization’s security posture.
For more information about how PurpleOps can help you strengthen your cybersecurity defenses, please visit PurpleOps Platform or PurpleOps Services to explore our services. Contact us today at PurpleOps Cyber Threat Intelligence to schedule a consultation.

FAQ

Q: What is CVE-2025-58034?
A: CVE-2025-58034 is an OS command injection vulnerability affecting Fortinet’s FortiWeb web application firewall (WAF) product.
Q: Which FortiWeb versions are affected?
A: The following FortiWeb versions are affected: 8.0.0 through 8.0.1, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11.
Q: What is the solution?
A: Upgrade to the latest available software version for your FortiWeb device.
Q: How can PurpleOps help?
A: PurpleOps offers a suite of services, including cyber threat intelligence, breach detection, red team operations, supply chain information security, dark web monitoring, brand leak alerting, and ransomware protection, to help organizations strengthen their cybersecurity posture.