Threats / Fortinet / CVE-2025-58034
CVE-2025-58034
· EUVD no mirror located
· GCVE no mirror located
Verified 2026-06-22
Fortinet FortiWeb vulnerability
Fortinet FortiWeb contains an OS command injection vulnerability allowing authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands.
Verdict
Today item — known-exploited.
An authenticated attacker can inject arbitrary OS commands into FortiWeb through malformed HTTP requests or CLI input, achieving code execution on the underlying system. Active exploitation has been observed in the wild.
01
Is it exploitable?
— the evidence, ranked above the scoreExploit available
Fully weaponized — public exploit code is cataloged for this vulnerability.We link the existence of the exploit; we do not host or redistribute payloads.
Reported exploitation
5 independent public reports of in-the-wild exploitation are cataloged.Distinct reporting sources (vendor, incident response, government); open them for the underlying claims.
Exploited in the wild
Listed in the CISA Known Exploited Vulnerabilities catalog (added 2025-11-18).
Probability (EPSS)
EPSS 0.54376 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.
Severity / affected
Affected: Fortinet, FortiWeb. Confirm exact fixed builds in the vendor advisory.
Weakness (CWE)
Mapped to CWE-78 OS Command Injection — weakness family: Injection.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.
02
Who’s exploiting it?
— attribution turns risk into urgencyAttribution not established
No confirmed (advisory-backed) threat-actor attribution is established for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.
03
Why it matters
— the attack path, told twice: adversary, then board1
Front door — unauthenticated access narrative 1
Attacker
I authenticate to FortiWeb using valid credentials or an existing session.
Business
Legitimate administrative access is a prerequisite for exploitation, limiting the initial attack surface to insiders or those with compromised credentials.
2
Keys to the kingdom — privilege/identity takeover narrative 2
Attacker
I craft malicious HTTP requests or CLI commands containing OS command syntax that bypasses input validation.
Business
The application fails to properly sanitize user input before passing it to system command execution functions.
3
Lateral reach — past segmentation narrative 3
Attacker
I execute arbitrary commands on the FortiWeb host with the privileges of the application process.
Business
An attacker gains direct control over the security appliance, potentially compromising network traffic inspection and enabling lateral movement.
4
Data at risk — exfiltration narrative 4
Attacker
I maintain persistence or escalate privileges to root/system level access.
Business
The organization loses control of a critical security perimeter device, enabling data exfiltration, malware injection, or network-wide compromise.
04
What to do
— defensible action- Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.1
Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.
05