Detections
Analytics
CVE-2025-58034
high
Description
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.
References
https://www.theregister.com/2025/11/19/fortinet_confirms_second_fortiweb_0day/
https://www.securityweek.com/fortinet-discloses-second-exploited-fortiweb-zero-day-in-a-week/
https://www.hipaajournal.com/fortinet-patches-actively-exploited-fortiweb-zero-day-flaw/
https://www.helpnetsecurity.com/2025/11/19/fortiweb-vulnerability-cve-2025-58034/
https://thehackernews.com/2025/11/fortinet-warns-of-new-fortiweb-cve-2025.html
Details
Published: 2025-11-18
Updated: 2025-11-20
Known Exploited Vulnerability (KEV)
Risk Information
CVSS v2
Base Score: 8.3
Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C
Severity: High
CVSS v3
Base Score: 7.2
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Severity: High
EPSS
EPSS: 0.04573
Vulnerability Watch
Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.
Vulnerability of Interest