Fortinet confirms second 0-day in just four days

Fortinet confirms second 0-day in just four days

Briefly

"Fortinet has confirmed that another flaw in its FortiWeb web application firewall has been exploited as a zero-day and issued a patch, just days after disclosing a critical bug in the same product that attackers had found and abused a month earlier. The new bug, tracked as CVE-2025-58034, is an OS command injection vulnerability that allows authenticated attackers to execute unauthorized code on the underlying system using crafted HTTP requests or CLI commands. Updating FortiWeb devices to the most recent software version fixes the problem."

""Fortinet has observed this to be exploited in the wild," the vendor said in a Tuesday security advisory that credited Trend Micro researcher Jason McFadyen with finding and reporting the vulnerability. "Trend Micro has observed attacks in the wild using this flaw with around 2,000 detections so far," Trend Micro senior threat researcher Stephen Hilt told The Register. Meanwhile, the US Cybersecurity and Infrastructure Security Agency issued its own alert about the FortiWeb bug on Tuesday, adding it to its Known Exploited Vulnerability catalog and giving federal agencies just seven days to apply the patch."

"Fortinet did not immediately respond to The Register's inquiries about the scope of exploitation, who is abusing CVE-2025-58034, and the consequences of attacks on the flaw. We will update this story if we receive a response from the vendor. There's also this question: Is this new FortiWeb bug related to last week's disclosure? We've asked Fortinet about that, too."