Fortinet Woes Continue With Another WAF Zero-Day Flaw TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityThe AI Attack Surface: How Agents Raise the Cyber StakesThe AI Attack Surface: How Agents Raise the Cyber StakesbyAlexander CulafiNov 19, 20254 Min ReadCybersecurity OperationsCan a Global, Decentralized System Save CVE Data?Can a Global, Decentralized System Save CVE Data?byRobert Lemos, Contributing WriterNov 18, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllCyberattacks & Data BreachesCoyote, Maverick Banking Trojans Run Rampant in BrazilCoyote, Maverick Banking Trojans Run Rampant in BrazilbyAlexander CulafiNov 13, 20254 Min ReadThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryVulnerabilities & ThreatsCyberattacks & Data BreachesCyber RiskCybersecurity OperationsNewsFortinet Woes Continue With Another WAF Zero-Day FlawA second zero-day vulnerability in its web application firewall (WAF) line has come under attack, raising more questions about the vendor's disclosure practices.Rob Wright, Senior News Director, Dark ReadingNovember 19, 20253 Min ReadSource: JHVEPhoto via Alamy Stock PhotoFortinet on Tuesday disclosed a second zero-day vulnerability in its FortiWeb product line, less than a week after revealing a different flaw in its web application firewall (WAF) line had been exploited in the wild.CVE-2025-58034 is an OS command injection vulnerability that, if exploited, allows an authenticated attacker to run code on the WAF through crafted HTTP requests or CLI commands. The medium-severity flaw, which received a 6.7 CVSS score, stems from an improper neutralization of special elements, according to Fortinet's advisory. The disclosure comes on the heals of another FortiWeb vulnerability, tracked as CVE-2025-64446. Disclosed Nov. 14, the zero-day flaw sparked accusations of silent patching from cybersecurity vendors and infosec professionals. CVE-2025-58034 has raised further questions about Fortinet's disclosure practices. It's also the latest in a series of exploited vulnerabilities and security threats for the network security vendor, which has been increasingly targeted in recent years as both cybercriminals and nation-state actors have shifted their focus to edge devices like VPNs and firewalls.Are the FortiWeb Zero-Days Connected?It's unclear if the latest zero-day vulnerability stems from the exploitation activity for CVE-2025-64446 that Fortinet confirmed last week. The advisory for CVE-2025-58034 provides no details about the scope and source of the attacks. Dark Reading contacted Fortinet for comment but the company did not respond at press time. Related:Cursor Issue Paves Way for Credential-Stealing AttacksHowever, France's Orange Cyberdefense said on Wednesday in a series of posts on social media platform X that "several exploitation campaigns" are targeting CVE-2025-58034 in chained attacks with CVE-2025-64446. Fortinet credited Trend Micro researcher Jason McFadyen for reporting CVE-2025-58034. In a statement to Dark Reading, the Trend Micro research team said it has seen around 2,000 detections for exploitation activity, and that the flaw was discovered while researchers were reviewing an older issue in FortiWeb. "Based on our current analysis, the two vulnerabilities are separate issues," the statement read. "While they are not directly connected, attackers can chain vulnerabilities when possible, so both should be patched to reduce overall risk."Meanwhile, Rapid7 today published a technical breakdown of CVE-2025-58034 that noted the vulnerability was patched in an update prior to its public disclosure — just as CVE-2025-64446 was."The timeline for both vulnerabilities being disclosed is only days apart. Both vulnerabilities were patched by the vendor in prior product updates and with no disclosure at the time of patching," Rapid7 noted in the technical analysis. "There is an obvious utility of chaining an authentication bypass to an authenticated command injection. Given all of these things, it seems highly likely these two vulnerabilities comprise an exploit chain for unauthenticated remote code execution against vulnerable FortiWeb devices."Related:New Security Tools Target Growing macOS ThreatsRapid7 also flagged another issue. Based on an analysis of the patch, Rapid7 researchers observed that it added new validation logic to multiple functions in FortiWeb. As a result, multiple command injections were remediated, but only one CVE was assigned. "The CVE ecosystem works best when a single vulnerability with a single root cause is assigned a single CVE identifier," Rapid 7 said. "It is unhelpful to assign multiple vulnerabilities across a code based with a single CVE identifier, as defenders cannot correctly attribute which vulnerability is being exploited (for example, the network traffic or IOCs may vary depending on which specific vulnerability is exploited), which can be detrimental to detection and remediation."Mitigation and DefenseThe US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added CVE-2025-58034 to its Known Exploited Vulnerabilities (KEV) catalog. In light of the ongoing zero-day attacks against CVE-2025-64446, "a reduced remediation timeframe of one week is recommended," CISA said in its alert. Under Binding Operational Directive (BOD) 22-01, CISA has typically given federal agencies a deadline of two weeks to patch new vulnerabilities added to KEV.Related:'CitrixBleed 2' Wreaks Havoc as Zero-Day BugOrange Cyberdefense recommended Fortinet customers update their WAFs to a fixed version — FortiWeb versions 8.0.2, 7.6.6, 7.4.11, 7.2.12, and 7.0.12 — and not expose their FortiWeb management interfaces on the Internet. Additionally, organizations should monitor for newly created user accounts. About the AuthorRob WrightSenior News Director, Dark ReadingRob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. See more from Rob WrightMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceVulnerabilities & Threats'CitrixBleed 2' Wreaks Havoc as Zero-Day Bug'CitrixBleed 2' Wreaks Havoc as Zero-Day BugbyJai Vijayan, Contributing WriterNov 12, 20255 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersMissing 88% of Exploits: Rethinking KEV in the AI EraThe Straightforward Buyer's Guide to EDRThe True Cost of a Cyberattack - 2025 EditionHow to be a Better Threat HunterFrom the C-Suite to the SOC: Consolidating the Network Security SolutionsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

Fortinet is facing renewed scrutiny following the disclosure of a second zero-day vulnerability within its FortiWeb web application firewall (WAF) product line, less than a week after a previously exploited flaw emerged. This situation underscores ongoing concerns regarding Fortinet’s disclosure practices and its increasing target status within the cybersecurity landscape. The vulnerability, CVE-2025-58034, is an operating system command injection flaw that, if successfully exploited, could allow authenticated attackers to execute arbitrary code on the WAF. The Media Severity score assigned to this vulnerability is 6.7 according to Fortinet's advisory, stemming from improper neutralization of special characters.

The revelation comes on the heels of CVE-2025-64446, which had already prompted accusations of “silent patching” from cybersecurity vendors and infosec professionals. This second vulnerability further highlights Fortinet’s history of security incidents and increasing exposure to both cybercriminals and nation-state actors who are actively targeting edge devices such as VPNs and firewalls.

**Connection to Previous Vulnerabilities:** The direct connection between CVE-2025-58034 and CVE-2025-64446 remains unclear, according to Fortinet's advisory. However, France’s Orange Cyberdefense has identified “several exploitation campaigns” targeting both vulnerabilities in chained attacks. Trend Micro researcher Jason McFadyen reported discovering the vulnerability during a review of an older issue in FortiWeb. Trend Micro’s statement confirmed that while the two vulnerabilities are distinct, attackers can chain vulnerabilities when possible, necessitating patching of both. This underscores the importance of maintaining a comprehensive security posture and employing layered defenses.

**Data from Rapid7:** Rapid7 has analyzed CVE-2025-58034 and released a technical breakdown, noting that the patch added new validation logic to multiple functions within FortiWeb. This remediation resulted in the remediation of several command injection vulnerabilities, but only one CVE was assigned. Rapid7 emphasized that a single CVE identifier is most useful when assigning a single root cause to a vulnerability but the fragmentation can be detrimental to detection and remediation.

**Rapid7’s Observations:** Rapid7’s technical analysis highlighted a likely exploit chain involving an authentication bypass and a command injection. They observed that the patch added new validation logic to multiple functions in FortiWeb and as a result the vulnerabilities were remediated. Rapid7 flagged another key issue: the vulnerability's patch added new validation logic to multiple functions in FortiWeb.

**CISA Intervention:** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-58034 to its Known Exploited Vulnerabilities (KEV) catalog. Given the ongoing attacks related to CVE-2025-64446, CISA recommends a reduced remediation timeframe of one week, a shorter timeframe than typically mandated for new vulnerabilities added to KEV.

**Mitigation and Recommendations:** Orange Cyberdefense recommends Fortinet customers urgently update their FortiWeb WAFs to versions 8.0.2, 7.6.6, 7.4.11, 7.2.12 and 7.0.12, and prevent exposing their FortiWeb management interfaces to the internet. Additionally, organizations should monitor for newly created user accounts.

REFUSED