OS Command Injection Vulnerability in Fortinet FortiWeb
CVE-2025-58034
What is CVE-2025-58034?
CVE-2025-58034 is a vulnerability identified in Fortinet's FortiWeb, a web application firewall designed to protect applications from vulnerabilities and attacks such as SQL injection, cross-site scripting, and more. Specifically, this vulnerability pertains to an improper neutralization of input, known as OS Command Injection. This flaw is present in various versions of FortiWeb, allowing an authenticated attacker to potentially execute unauthorized commands on the underlying operating system. If exploited, this could lead to significant risks, including unauthorized access to sensitive data and control over the system.
Potential Impact of CVE-2025-58034
-
Unauthorized Code Execution: Attackers may gain the ability to execute arbitrary code on the host system, compromising the integrity and confidentiality of the data processed by FortiWeb.
-
System Compromise: Successful exploitation could lead to a complete takeover of affected systems, enabling attackers to install malware, exfiltrate sensitive information, or pivot to other systems within the network.
-
Operational Disruption: The vulnerability can potentially disrupt the normal functioning of web applications secured by FortiWeb, leading to service outages, loss of availability, and potentially substantial financial losses for organizations.
Affected Version(s)
FortiWeb 7.6.0 <= 7.6.4
FortiWeb 7.4.0 <= 7.4.8
FortiWeb 7.2.0 <= 7.2.11