Multiple Vulnerabilities in Fortinet Products Enable Arbitrary Code Execution and Information Disclosure
Several Fortinet products, including FortiWeb, FortiClient, FortiExtender, FortiMail, FortiPAM, FortiSandbox, FortiADC, FortiVoice, FortiOS, and FortiProxy, have been found to contain multiple vulnerabilities, some of which could allow for arbitrary code execution. The most severe of these vulnerabilities, such as the FortiWeb RCE flaw (CVE-2025-58034), is under active exploitation and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Additionally, a vulnerability in FortiClient for Windows involving active debug code could allow a local attacker to retrieve saved VPN user passwords, posing a significant risk of information disclosure.
Security advisories urge organizations using affected Fortinet products to review available patches and mitigations immediately. The vulnerabilities impact a wide range of Fortinet's security and networking solutions, increasing the urgency for prompt remediation to prevent potential exploitation and compromise of sensitive assets.
Timeline
Nov 19, 2025
CISA KEV alert highlights active exploitation of FortiWeb flaw
Public reporting noted CISA's Known Exploited Vulnerabilities alert for CVE-2025-58034, emphasizing that the FortiWeb command-injection vulnerability was being actively exploited. This marked an escalation from vendor disclosure to broader government-backed warning and prioritization.
Nov 18, 2025
CVE-2025-58034 reported as exploited in the wild
Fortinet and downstream defenders reported that CVE-2025-58034, a FortiWeb remote code execution flaw involving command injection, had been observed under active exploitation. The disclosure increased urgency for organizations using affected Fortinet products to remediate immediately.
Nov 18, 2025
Fortinet discloses multiple product vulnerabilities and releases fixes
Fortinet published advisory FG-IR-25-844 covering multiple vulnerabilities across Fortinet products, including information disclosure through debug features and other severe flaws. The vendor made patches available and advised customers to update affected systems.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Multiple Critical Vulnerabilities in Fortinet Security Products
Fortinet has disclosed several high-severity vulnerabilities affecting its security product lines, including FortiWeb, FortiVoice, and FortiSandbox. Notable issues include a cookie forgery vulnerability in FortiWeb (CVE-2025-64447) that allows unauthenticated attackers to execute arbitrary operations via forged cookies, provided they know the device's serial number, and an improper verification of cryptographic signatures in FortiWeb (CVE-2025-59719) that enables unauthenticated attackers to bypass FortiCloud SSO login authentication using crafted SAML responses. Additionally, FortiVoice is impacted by a path traversal vulnerability (CVE-2025-60024) permitting privileged authenticated attackers to write arbitrary files, and FortiSandbox suffers from an OS command injection flaw (CVE-2025-53949) that allows authenticated attackers to execute unauthorized code on the underlying system through crafted HTTP requests. All vulnerabilities are remotely exploitable and have been assigned high or critical CVSS scores, with the FortiWeb authentication bypass rated as critical (CVSS 9.8/10). Fortinet has released security advisories and patches for the affected versions, urging customers to update their systems promptly to mitigate the risk of exploitation. Security researchers and vendors have highlighted the urgency of these patches due to the potential for unauthenticated remote attacks and the critical role these products play in enterprise security architectures.
1 months ago
Active Exploitation of FortiWeb OS Command Injection Vulnerabilities
Fortinet has disclosed multiple vulnerabilities in its FortiWeb web application firewall, including a critical OS command injection flaw tracked as CVE-2025-64446 and another actively exploited vulnerability, CVE-2025-58034. These vulnerabilities allow authenticated attackers to execute unauthorized code or commands on affected FortiWeb systems via crafted HTTP requests or CLI commands. Fortinet has observed exploitation of these flaws in the wild and has released security updates to address the issues, urging customers to upgrade to the latest versions to mitigate risk. The vulnerabilities impact several FortiWeb versions, and Fortinet has credited researchers from Trend Micro for responsible disclosure. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded by mandating that all federal civilian agencies patch CVE-2025-64446 within seven days, highlighting the severity and active exploitation of the bug. Security researchers have noted that attackers are using HTTP POST requests to create new admin-level accounts on exposed devices, and CISA has recommended disabling HTTP/HTTPS on internet-facing interfaces if immediate patching is not possible. Fortinet has communicated directly with affected customers and emphasized the importance of prompt remediation to prevent further compromise of FortiWeb deployments.
1 months ago
Active Exploitation of Fortinet FortiWeb OS Command Injection Vulnerability (CVE-2025-58034)
Fortinet has disclosed a critical OS command code injection vulnerability, identified as CVE-2025-58034, affecting FortiWeb products. Security advisories from both Fortinet and the Canadian Centre for Cyber Security confirm that an exploit for this vulnerability is active in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-58034 to its Known Exploited Vulnerabilities (KEV) Catalog, underscoring the significant risk posed to organizations using affected FortiWeb devices. CISA recommends a reduced remediation timeframe of one week due to ongoing exploitation and urges all organizations, not just federal agencies, to prioritize patching this vulnerability. The vulnerability is a frequent attack vector for malicious actors, and immediate action is advised to mitigate the risk, including applying vendor updates and following best practices for securing internet-exposed management interfaces. Organizations are encouraged to review the official advisories and implement the necessary updates to protect their networks from active threats.
1 months ago