CISA KEV Alert: FortiWeb RCE Flaw (CVE-2025-58034) Under Active Exploitation for Command Injection

Fortinet has issued an urgent advisory warning customers that a newly disclosed vulnerability in FortiWeb, tracked as CVE-2025-58034, is being actively exploited in the wild, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) Catalog.

According to Fortinet’s advisory: “An Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.”

The company confirms the severity of the situation, stating: “Fortinet has observed this to be exploited in the wild.”

While exploitation requires authentication, many real-world deployments rely on shared admin credentials, weak passwords, or integration with external access portals—a combination that dramatically increases attacker success.

The flaw enables attackers to craft malicious HTTP requests or CLI inputs that the device fails to properly sanitize, leading to direct execution of arbitrary commands on the underlying operating system.

In high-security environments where FortiWeb operates as a critical application firewall or reverse proxy, such a compromise could lead to:

• Complete administrative takeover
• Implantation of persistent backdoors
• Web traffic manipulation
• Lateral movement deeper into protected networks
• Exfiltration of sensitive application data

The advisory lists impacted versions and required upgrade paths: