Wiz
Base de datos de vulnerabilidadesCVE-2025-58034

CVE-2025-58034
Fortinet FortiWeb Análisis y mitigación de vulnerabilidades

Vista general

An OS Command Injection vulnerability (CVE-2025-58034) was discovered in Fortinet FortiWeb that affects multiple versions including FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, and FortiWeb 7.0.0 through 7.0.11. The vulnerability was reported by Jason McFadyen from Trend Micro's Trend Research team and was disclosed on November 18, 2025. The flaw received a CVSS score of 6.7, indicating medium severity (Fortinet PSIRT, Hacker News).

Técnicas

The vulnerability is classified as an Improper Neutralization of Special Elements used in an OS Command (CWE-78) issue. It allows an authenticated attacker to execute unauthorized code on the underlying system through two attack vectors: crafted HTTP requests or CLI commands. The vulnerability requires authentication for successful exploitation, which somewhat limits its potential impact (Fortinet PSIRT).

Impacto

When successfully exploited, the vulnerability enables authenticated attackers to execute arbitrary operating system commands on the affected FortiWeb systems. This level of access could potentially lead to complete system compromise and unauthorized control over the web application firewall (Bleeping Computer).

Mitigación y soluciones alternativas

Fortinet has released security updates to address the vulnerability. Organizations are advised to upgrade to the following versions: FortiWeb 8.0.2 or above for 8.0.x, FortiWeb 7.6.6 or above for 7.6.x, FortiWeb 7.4.11 or above for 7.4.x, FortiWeb 7.2.12 or above for 7.2.x, and FortiWeb 7.0.12 or above for 7.0.x. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and set a remediation deadline of November 25, 2025 (CISA KEV, Fortinet PSIRT).

Recursos adicionales

FuenteEste informe se generó utilizando IA

Relacionado Fortinet FortiWeb Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2025-64446CRITICAL9.8
  • Fortinet FortiWebFortinet FortiWeb
  • cpe:2.3:a:fortinet:fortiweb
Nov 14, 2025
CVE-2025-58034HIGH7.2
  • Fortinet FortiWebFortinet FortiWeb
  • cpe:2.3:a:fortinet:fortiweb
Nov 18, 2025
CVE-2025-59669MEDIUM5.3
  • Fortinet FortiWebFortinet FortiWeb
  • cpe:2.3:a:fortinet:fortiweb
NoNov 18, 2025
CVE-2025-53609MEDIUM4.9
  • Fortinet FortiWebFortinet FortiWeb
  • cpe:2.3:a:fortinet:fortiweb
NoSep 09, 2025
CVE-2024-47569MEDIUM4.3
  • FortiOSFortiOS
  • cpe:2.3:o:fortinet:fortios
NoOct 14, 2025

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades
Solicita una demo