OS Command Injection in FortiWeb - CVE-2025-58034
Published: November 18, 2025 / Updated: December 12, 2025
Vulnerability identifier: #VU118603
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2025-58034
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: Fortinet, Inc
Affected software:
FortiWeb
FortiWeb
Detailed vulnerability description
The vulnerability allows a remote privileged user to execute arbitrary code.
The vulnerability exists due to improper neutralization of special elements used in an os command ('os command injection') in API and CLI. An authenticated attacker can execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.
Note, the vulnerability is being actively exploited in the wild.
How to mitigate CVE-2025-58034
Install update from vendor's website.