You are currently viewing Bugs Caught in the FortiWeb: Active Attacks Target FortiWeb Zero-Days

Bugs Caught in the FortiWeb: Active Attacks Target FortiWeb Zero-Days

  • Post author:
  • Reading time:3 mins read

Fortinet has recently addressed two actively exploited zero-days in its FortiWeb web application firewall (WAF). These flaws, a command injection vulnerability (CVE-2025-58034) and a path traversal vulnerability (CVE-2025-64446), could allow attackers to execute unauthorized code and gain administrative access to affected systems. Timely patching is critical to mitigate these risks.

Understanding the Vulnerabilities

The first flaw, CVE-2025-58034, is an OS command injection flaw that could allow authenticated attackers to execute arbitrary code via crafted HTTP requests or CLI commands. The second, CVE-2025-64446, is a path traversal vulnerability in the FortiWeb GUI component that enables unauthenticated attackers to execute administrative commands and create new admin-level accounts.

Root Cause

The root cause of CVE-2025-58034 lies in the improper neutralization of special elements used in an OS command, leading to a command injection vulnerability. As for CVE-2025-64446, the issue stems from a path traversal vulnerability affecting a specific Fortinet endpoint: /api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi. This allows attackers to bypass authentication and execute commands.

Impact & Exploit Potential

The impact of these vulnerabilities is significant. Successfully exploiting CVE-2025-58034 can lead to unauthorized code execution on the underlying system, while exploiting CVE-2025-64446 grants unauthenticated attackers the ability to execute administrative commands and create new admin-level accounts, potentially leading to full device takeover. Given that both vulnerabilities are being actively exploited in the wild, the risk is high. Attackers are confirmed to be sending HTTP POST requests to exposed endpoints, containing payloads that create local admin-level accounts.

Tactics, Techniques, and Procedures (TTPs)

Attackers are actively exploiting these vulnerabilities in the wild. The primary tactics observed include:

  • TA0001 – Initial Access: Exploiting public-facing applications for initial entry.
  • TA0004 – Privilege Escalation: Gaining higher-level permissions on the system.
  • TA0003 – Persistence: Creating or manipulating accounts to maintain access.

The specific techniques employed are:

  • T1190 – Exploit Public-Facing Application: Leveraging vulnerabilities in public-facing applications to gain access.
  • T1068 – Exploitation for Privilege Escalation: Exploiting weaknesses to elevate privileges.
  • T1098 – Account Manipulation: Modifying or creating accounts for persistent access.

Affected Products

These vulnerabilities affect the following FortiWeb versions:

  • FortiWeb 8.0.0 through 8.0.1
  • FortiWeb 7.6.0 through 7.6.5 (CVE-2025-58034)
  • FortiWeb 7.4.0 through 7.4.10 (CVE-2025-58034)
  • FortiWeb 7.6.0 through 7.6.4 (CVE-2025-64446)
  • FortiWeb 7.4.0 through 7.4.9 (CVE-2025-64446)
  • FortiWeb 7.2.0 through 7.2.11
  • FortiWeb 7.0.0 through 7.0.11
  • FortiWeb versions 8.0.1 and earlier

Mitigation & Recommendations

To protect your systems from these actively exploited vulnerabilities, it is crucial to take the following actions:

  • Upgrade FortiWeb: Upgrade your FortiWeb devices to the latest available software versions: 8.0.2, 7.6.6, 7.4.11, 7.2.12, 7.0.12 or above.
  • Review Configuration and Logs: Check your FortiWeb configuration and logs for any unexpected modifications or the addition of unauthorized administrator accounts.
  • Restrict Access: Ensure management interfaces are not reachable from the internet and are restricted to trusted networks or VPN-only access.

Indicators of Compromise

Consider investigating the following IP addresses for any suspicious activity:

  • 107[.]152[.]41[.]19
  • 144[.]31[.]1[.]63
  • Addresses in the 185[.]192[.]70[.]0/24 range
  • 64[.]95[.]13[.]8

CISA Directive

The Cybersecurity and Infrastructure Security Agency (CISA) has added both CVEs to its Known Exploited Vulnerabilities Catalog and has mandated that U.S. federal agencies patch their systems by November 21, 2025 for CVE-2025-64446 and November 25, 2025 for CVE-2025-58034.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.