Fortinet has confirmed that another flaw in its FortiWeb web application firewall has been exploited as a zero-day and issued a patch, just days after disclosing a critical bug in the same product that attackers had found and abused a month earlier.
The new bug, tracked as CVE-2025-58034, is an OS command injection vulnerability that allows authenticated attackers to execute unauthorized code on the underlying system using crafted HTTP requests or CLI commands. Updating FortiWeb devices to the most recent software version fixes the problem.
“Fortinet has observed this to be exploited in the wild,” the vendor said in a Tuesday security advisory that credited Trend Micro researcher Jason McFadyen with finding and reporting the vulnerability.
“Trend Micro has observed attacks in the wild using this flaw with around 2,000 detections so far,” Trend Micro senior threat researcher Stephen Hilt told The Register.
Meanwhile, the US Cybersecurity and Infrastructure Security Agency issued its own alert about the FortiWeb bug on Tuesday, adding it to its Known Exploited Vulnerability catalog and giving federal agencies just seven days to apply the patch. CISA usually sets a 15-day deadline to fix critical patches and a 30-day time limit for implementing high-severity bugs.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” America’s cyber defense agency warned.
[…]
Source: Fortinet confirms second 0-day in just four days • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft