A critical zero-day vulnerability in Fortinet's FortiWeb, tracked as CVE-2025-58034, has been actively exploited in the wild, prompting urgent attention from security teams. This vulnerability, which allows for OS command injection, affects multiple versions of FortiWeb, specifically versions 8.0.0 through 8.0.1, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. The flaw has been assigned a CVSS score of 7.2, indicating a high severity level, and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of November 18, 2025.
The vulnerability stems from improper neutralization of special elements used in OS commands, categorized under CWE-78. This flaw allows attackers to execute arbitrary commands on the underlying operating system, potentially leading to full system compromise. The exploitation of this vulnerability was detected before its official disclosure, marking it as a zero-day with a Time to Exploit (TTE) of -0.7 days. This underscores the urgency for organizations using FortiWeb to apply patches immediately.
Fortinet has released patches to address this vulnerability, but the fact that it was exploited prior to disclosure highlights the need for robust monitoring and rapid response capabilities. The vulnerability's Exploit Prediction Scoring System (EPSS) score of 0.373 suggests a moderate likelihood of exploitation, yet the active exploitation in the wild elevates the risk profile significantly.
Security teams should prioritize patching FortiWeb installations and review their systems for any signs of compromise. Indicators of compromise (IOCs) related to this vulnerability should be integrated into monitoring systems to detect any malicious activity. Additionally, organizations should consider implementing network segmentation and least privilege access controls to mitigate potential impacts of exploitation.
Given the critical nature of this vulnerability and its active exploitation, organizations are advised to follow Fortinet's guidance on patching and to stay informed about any further developments. The swift action is crucial to protect sensitive data and maintain the integrity of affected systems.
CSURFACE