Fortinet Warns of New FortiWeb Vulnerability Exploited in the Wild: A Critical Security Alert
In a recent security alert, Fortinet has issued a critical warning about a new vulnerability in FortiWeb, a widely used web application firewall. The vulnerability, tracked as CVE-2025-58034, has been actively exploited by attackers, posing a significant risk to organizations using FortiWeb solutions.
The vulnerability is classified as a medium-severity issue, with a CVSS score of 6.7 out of 10. It stems from an improper neutralization of special elements in an OS command, allowing authenticated attackers to execute unauthorized code on the underlying system. This can be achieved through crafted HTTP requests or CLI commands, highlighting the potential for severe consequences.
Fortinet's advisory (https://fortiguard.fortinet.com/psirt/FG-IR-25-513) emphasizes the importance of upgrading to the latest versions to mitigate the risk. The affected versions include FortiWeb 8.0.0 through 8.0.1, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. Fortinet's responsible disclosure policy is credited to Trend Micro researcher Jason McFadyen for reporting the flaw.
This alert comes just days after Fortinet addressed another critical vulnerability, CVE-2025-64446, with a CVSS score of 9.1, in version 8.0.2. Fortinet's proactive approach to security is commendable, but the lack of an advisory for the latest vulnerability has raised concerns. Security experts argue that such silence can leave defenders vulnerable, as it prevents them from adequately preparing and responding to potential attacks.
The controversy surrounding this issue highlights the delicate balance between security and transparency. While Fortinet's commitment to customer security is evident, the decision to patch without an advisory may inadvertently create a disadvantage for defenders. This incident underscores the importance of clear and timely communication in the face of emerging security threats.
For those interested in staying informed, following Fortinet's official channels and security blogs can provide valuable insights into emerging vulnerabilities and best practices. Additionally, keeping up with industry news and security advisories is crucial for maintaining a robust security posture.
