FortiWeb Alert: New Authenticated Command Injection Flaw (CVE-2025-58034) Actively Exploited
In recent days it has become apparent that FortiWeb had been accumulating issues the manufacturer chose not to disclose in advance. After Fortinet acknowledged active exploitation of the critical vulnerability CVE-2025-64446 — which allows attackers to execute administrative commands without authentication — the company was compelled to confirm yet another dangerous flaw, this time involving the execution of system commands after a user has already logged in to the device interface.
Researchers at Trend Micro discovered the vulnerability later designated CVE-2025-58034, and their findings formed the basis of a new emergency advisory. The vendor noted that attacks had been observed on real devices, prompting an accelerated release of patches.
CVE-2025-58034 enables arbitrary code execution through specially crafted HTTP requests or CLI commands. It falls under the category of system command injection, and an attacker exploiting it can perform arbitrary operations on the device’s operating system if valid credentials have been obtained. Updating FortiWeb to the latest version prevents such manipulation, which the vendor urges administrators to do immediately. According to Trend Micro, roughly 2,000 exploitation attempts have already been detected in customer environments.
For U.S. federal agencies, the situation triggered a separate warning: CISA added the flaw to its catalog of actively exploited vulnerabilities and mandated patching within seven days. Such a timeframe is unusually strict — critical issues are typically given 15 days for remediation, and less severe problems 30. The agency emphasized that this class of defect is routinely abused by threat actors and poses serious risks to government systems.
The relationship between the recent CVE-2025-64446 and the newly disclosed flaw remains unresolved. The first vulnerability allows attackers to bypass authentication and carry out administrative operations on FortiWeb without logging in; the second enables command execution after authentication. While Fortinet’s documentation provides no explicit link, technical analysts at Rapid7 note that the proximity of the disclosures, the vendor’s quiet pre-patching of both issues, and the clear value of combining “authentication bypass” with “system command execution” make such a chain almost inevitable. In their view, the pair of vulnerabilities could readily be weaponized for unauthorized remote code execution (RCE).
Trend Micro explained that its research emerged while re-examining an older FortiWeb issue, during which it became evident that authenticated users could trigger system commands through the web interface. This capability opens a path to full device compromise and deeper network penetration if updates are not applied promptly. The watchTowr team had already observed widespread exploitation attempts of CVE-2025-64446 even before Fortinet formally acknowledged the issue, reinforcing concerns that the situation reflects a broader systemic problem.
At present, it remains unclear which groups or individual threat actors are leveraging the new vulnerability, and the overall impact has yet to be disclosed.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
