CVE-2025-58034: 
Fortinet FortiWeb 脆弱性の分析と軽減

An OS Command Injection vulnerability (CVE-2025-58034) was discovered in Fortinet FortiWeb that affects multiple versions including FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, and FortiWeb 7.0.0 through 7.0.11. The vulnerability was reported by Jason McFadyen from Trend Micro's Trend Research team and was disclosed on November 18, 2025. The flaw received a CVSS score of 6.7, indicating medium severity (Fortinet PSIRT, Hacker News).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an OS Command (CWE-78) issue. It allows an authenticated attacker to execute unauthorized code on the underlying system through two attack vectors: crafted HTTP requests or CLI commands. The vulnerability requires authentication for successful exploitation, which somewhat limits its potential impact (Fortinet PSIRT).

When successfully exploited, the vulnerability enables authenticated attackers to execute arbitrary operating system commands on the affected FortiWeb systems. This level of access could potentially lead to complete system compromise and unauthorized control over the web application firewall (Bleeping Computer).

Fortinet has released security updates to address the vulnerability. Organizations are advised to upgrade to the following versions: FortiWeb 8.0.2 or above for 8.0.x, FortiWeb 7.6.6 or above for 7.6.x, FortiWeb 7.4.11 or above for 7.4.x, FortiWeb 7.2.12 or above for 7.2.x, and FortiWeb 7.0.12 or above for 7.0.x. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and set a remediation deadline of November 25, 2025 (CISA KEV, Fortinet PSIRT).