"Fortinet has warned that a new security flaw in FortiWeb has been exploited in the wild. The medium-severity vulnerability, tracked as CVE-2025-58034, carries a CVSS score of 6.7 out of a maximum of 10.0. It has been addressed in version 8.0.2. "An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands," the company said."
"The development came days after Fortinet confirmed that it silently patched another critical FortiWeb vulnerability (CVE-2025-64446, CVSS score: 9.1) in version 8.0.2. Although the company has not clarified if the exploitation activity is linked, Orange Cyberdefense said it observed "several exploitation campaigns" chaining CVE-2025-58034 with CVE-2025-64446 to facilitate authentication bypass and command injection. Fortinet's handling of the issue has come in for heavy criticism."
Multiple attackers exploited newly discovered vulnerabilities and zero-days across browsers, appliances, supply chains, and SaaS platforms, often hiding inside trusted apps, browser alerts, and software updates. Large vendors including Microsoft, Salesforce, and Google responded rapidly to stop DDoS attacks, block malicious links, and patch live flaws. Fortinet disclosed an actively exploited FortiWeb OS command injection (CVE-2025-58034, CVSS 6.7) patched in 8.0.2, following a silently patched critical FortiWeb bug (CVE-2025-64446, CVSS 9.1). Orange Cyberdefense observed exploitation campaigns chaining the two vulnerabilities to achieve authentication bypass and command injection. Fortinet faced criticism for staggered disclosure and silent patching decisions.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]