Ethical Hacking News
Fortinet has warned of a new FortiWeb vulnerability (CVE-2025-58034) that allows authenticated attackers to execute arbitrary operating system commands via crafted HTTP requests or CLI commands. The vulnerability has been addressed in updated versions of FortiWeb, but concerns remain among security experts about the lack of transparency from vendors.
A new security flaw (CVE-2025-58034) has been discovered in Fortinet's FortiWeb web application security solution, carrying a Critical Vulnerability Severity Level of 6.7. The vulnerability allows authenticated attackers to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands. Fortinet has released patches for affected versions, including upgrades to 8.0.2 and above. However, some security experts have raised concerns that Fortinet's responsible disclosure policy may leave defenders at a disadvantage.
In a recent advisory, Fortinet has warned of a new security flaw in their popular web application security solution, FortiWeb. This vulnerability, tracked as CVE-2025-58034, carries a Critical Vulnerability Severity Level (CVSS score) of 6.7 out of a maximum of 10.0. The medium-severity vulnerability is categorized under the Common Weakness Enumeration (CWE) as OS Command Injection and poses significant risks to FortiWeb users.
According to Fortinet, this vulnerability allows an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands. This means that if a malicious actor gains access to a FortiWeb device through any other means, they can exploit this vulnerability to gain elevated privileges and potentially execute arbitrary operating system commands.
Fortinet has taken proactive measures to address this issue by releasing patches for affected versions of FortiWeb. The updated versions include:
* FortiWeb 8.0.0 through 8.0.1 (Upgrade to 8.0.2 or above)
* FortiWeb 7.6.0 through 7.6.5 (Upgrade to 7.6.6 or above)
* FortiWeb 7.4.0 through 7.4.10 (Upgrade to 7.4.11 or above)
* FortiWeb 7.2.0 through 7.2.11 (Upgrade to 7.2.12 or above)
* FortiWeb 7.0.0 through 7.0.11 (Upgrade to 7.0.12 or above)
It's worth noting that these patches have been released under Fortinet's responsible disclosure policy, which means that the vulnerability was disclosed to the company by a researcher named Jason McFadyen from Trend Micro.
This development comes as a follow-up to another critical FortiWeb vulnerability (CVE-2025-64446) that was silently patched in version 8.0.2 without an official advisory being released. This has raised concerns among security experts, who argue that this approach can leave defenders at a disadvantage and effectively prevent them from mounting an adequate response.
"When popular technology vendors fail to communicate new security issues, they are issuing an invitation to attackers while choosing to keep that same information from defenders," said VulnCheck in a recent statement. "We urge Fortinet to take immediate action and provide clear guidance to its customers on this vulnerability."
In conclusion, the discovery of this critical FortiWeb vulnerability serves as a timely reminder of the importance of proactive security measures and the need for vendors to prioritize responsible disclosure practices.
Related Information:
https://www.ethicalhackingnews.com/articles/Fortinet-Warns-of-New-FortiWeb-Vulnerability-A-Security-Flaw-Exploited-in-the-Wild-ehn.shtml
https://thehackernews.com/2025/11/fortinet-warns-of-new-fortiweb-cve-2025.html
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortiweb-zero-day-exploited-in-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2025-58034
https://www.cvedetails.com/cve/CVE-2025-58034/
https://nvd.nist.gov/vuln/detail/CVE-2025-64446
https://www.cvedetails.com/cve/CVE-2025-64446/
Published: Tue Nov 18 23:11:07 2025 by llama3.2 3B Q4_K_M
