Fortinet warned on Tuesday of a medium-severity vulnerability in its FortiWeb web application firewall, tracked as CVE-2025-58034 and carrying a CVSS score of 6.7, that has been exploited in the wild. The company described the issue as an OS command injection (CWE-78) that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands, and, in a Tuesday advisory, Fortinet said the flaw has been observed in active exploitation.
Fortinet said successful attacks require an attacker to first authenticate by some other means and then chain that access with CVE-2025-58034 to execute arbitrary operating system commands. The company characterised the vulnerability as requiring prior access rather than allowing unauthenticated remote code execution.
The vendor said the issue has been addressed in specific FortiWeb releases: upgrade paths include FortiWeb 8.0.2 or later, 7.6.6 or later, 7.4.11 or later, 7.2.12 or later and 7.0.12 or later; earlier builds in those series remain affected until updated.
Fortinet credited Trend Micro researcher Jason McFadyen for reporting the flaw under its responsible disclosure policy. The development follows a recent, partly silent patch for another critical FortiWeb vulnerability, CVE-2025-64446, patched in version 8.0.2, and Fortinet said it had activated its PSIRT response and remediation efforts while seeking to balance customer security and responsible transparency. It is not clear why an advisory was not issued earlier for the prior patch; security observers warned that silent fixes can leave defenders at a disadvantage.