#VU118603 OS Command Injection in FortiWeb - CVE-2025-58034
Published: November 18, 2025 / Updated: December 12, 2025
Vulnerability identifier: #VU118603
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2025-58034
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
FortiWeb
FortiWeb
Software vendor:
Fortinet, Inc
Fortinet, Inc
Description
The vulnerability allows a remote privileged user to execute arbitrary code.
The vulnerability exists due to improper neutralization of special elements used in an os command ('os command injection') in API and CLI. An authenticated attacker can execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.
Note, the vulnerability is being actively exploited in the wild.
Remediation
Install update from vendor's website.