CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

FortiWeb Zero-Day Exploitation (CVE-2025-58034)

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

Fortinet has released security updates to address a new zero-day vulnerability (CVE-2025-58034) in FortiWeb, which is being actively exploited in the wild. The flaw, an OS command injection vulnerability with a CVSS score of 6.7, allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. Fortinet advises upgrading FortiWeb devices to the latest versions to mitigate the risk. CISA has added CVE-2025-58034 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within a week. This follows another FortiWeb zero-day (CVE-2025-64446) that was silently patched in October and added to CISA's actively exploited vulnerabilities catalog. CVE-2025-64446 has a CVSS score of 9.1 and was patched in version 8.0.2. Fortinet has patched CVE-2025-58034 in FortiWeb versions 8.0.2, 7.6.6, 7.4.11, 7.2.12, and 7.0.12.

Timeline

  1. 18.11.2025 21:01 4 articles · 1d ago

    FortiWeb Zero-Day Exploited in Attacks

    Fortinet has released security updates to patch a new zero-day vulnerability (CVE-2025-58034) in FortiWeb, which is being actively exploited. The vulnerability, an OS command injection flaw with a CVSS score of 6.7, allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. Fortinet advises upgrading to the latest versions to mitigate the risk. The affected versions include FortiWeb 8.0.0 through 8.0.1, 7.6.0 through 7.6.5, 7.4.0 through 7.4.10, 7.2.0 through 7.2.11, and 7.0.0 through 7.0.11. The flaw was reported by Trend Micro researcher Jason McFadyen. Fortinet has patched CVE-2025-58034 in FortiWeb versions 8.0.2, 7.6.6, 7.4.11, 7.2.12, and 7.0.12. CISA has added CVE-2025-58034 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within a week. CISA has ordered U.S. government agencies to secure their systems within a week against CVE-2025-58034. CISA added CVE-2025-58034 to its Known Exploited Vulnerabilities Catalog on the same day as the advisory. CISA warned that this type of vulnerability is a frequent attack vector for malicious cyber actors. CISA referenced recent and ongoing exploitation events, including CVE-2025-64446, which was added to the catalog on November 15th. CISA ordered U.S. federal agencies to patch CVE-2025-64446 by November 21st.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Remote Code Execution Vulnerability in ImunifyAV/AI-bolit

A remote code execution (RCE) flaw in the AI-bolit malware scanning component of ImunifyAV and Imunify360, used by millions of Linux-hosted websites, could allow attackers to compromise hosting environments. The vulnerability stems from improper validation of function names during deobfuscation of PHP files. The flaw affects versions prior to 32.7.4.0 and has been patched, but no CVE identifier has been assigned. The vulnerability is particularly concerning due to the widespread use of ImunifyAV in shared hosting environments, potentially enabling full server takeovers if the scanner runs with elevated privileges.

Open in new tab

React Native CLI Remote Code Execution Vulnerability (CVE-2025-11953)

A critical security flaw in the React Native CLI package, tracked as CVE-2025-11953, allowed remote, unauthenticated attackers to execute arbitrary OS commands on development servers. The vulnerability affected versions 4.8.0 through 20.0.0-alpha.2 of the @react-native-community/cli-server-api package, impacting millions of developers using the React Native framework. The flaw was patched in version 20.0.0. The vulnerability was due to the Metro development server binding to external interfaces by default and exposing an '/open-url' endpoint susceptible to OS command injection. Attackers could exploit this to run arbitrary commands on the affected systems. The flaw underscores the risks associated with third-party code and emphasizes the need for comprehensive security scanning in the software supply chain.

Open in new tab

Privilege Escalation Vulnerability in Linux Kernel Exploited in Ransomware Attacks

A high-severity privilege escalation flaw in the Linux kernel (CVE-2024-1086) is being exploited in ransomware attacks. Disclosed in January 2024, the vulnerability allows attackers with local access to escalate privileges to root level. It affects multiple major Linux distributions, including Debian, Ubuntu, Fedora, and Red Hat. The flaw was introduced in February 2014 and fixed in January 2024. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed the exploitation in ransomware campaigns and added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog in May 2024. Federal agencies were ordered to secure their systems by June 20, 2024. Mitigations include blocking 'nf_tables', restricting access to user namespaces, or loading the Linux Kernel Runtime Guard (LKRG) module.

Open in new tab

Active Exploitation of Critical Microsoft WSUS Flaw

A critical vulnerability in Microsoft Windows Server Update Service (WSUS), CVE-2025-59287, is being actively exploited in the wild. This flaw, with a CVSS score of 9.8, allows attackers to drop malicious payloads and execute arbitrary commands on infected hosts. The vulnerability affects WSUS versions 3.32.x and was discovered by Eye Security and Huntress. The Cybersecurity and Infrastructure Security Agency (CISA) has ordered U.S. government agencies to patch the flaw, which was added to the Known Exploited Vulnerabilities catalog. Organizations using WSUS are advised to apply the out-of-band security updates provided by Microsoft to mitigate the risk of exploitation. The flaw was originally patched by Microsoft as part of its Patch Tuesday updates, but attackers have since weaponized it to deploy .NET executables and Base64-encoded PowerShell scripts. Shadowserver is tracking over 2,800 WSUS instances with default ports exposed online. The vulnerability is a deserialization of untrusted data flaw that allows unauthenticated attackers to achieve remote code execution with system privileges by sending malicious encrypted cookies to the GetCookie() endpoint. A compromised WSUS server could potentially be used to distribute malicious updates to the entire network of client computers, making it particularly dangerous for large enterprises. Huntress advised isolating network access to WSUS and blocking inbound traffic to TCP ports 8530 and 8531 as remediation steps. The out-of-band (OOB) security update KB5070881 for CVE-2025-59287 broke hotpatching on some Windows Server 2025 devices. Microsoft has released a new update, KB5070893, to address the issue without disrupting hotpatching. Administrators are advised to install this update to maintain hotpatching functionality.

Open in new tab

Active Exploitation of Critical Adobe AEM Forms Misconfiguration

A critical misconfiguration flaw in Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier is under active exploitation. The flaw, CVE-2025-54253, allows arbitrary code execution via an exposed servlet. Adobe released a patch in August 2025. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must apply the necessary fixes by November 5, 2025. The flaw was discovered by Adam Kues and Shubham Shah of Searchlight Cyber, who disclosed it to Adobe on April 28, 2025. The flaw is caused by an exposed /adminui/debug servlet that evaluates user-supplied OGNL expressions as Java code without authentication or input validation. This enables attackers to execute arbitrary system commands with a single crafted HTTP request. A proof-of-concept exploit is publicly available.

Open in new tab