CVE-2025-58034

HIGH KEV

FortiWeb 7.0.0-7.0.11, 7.2.0-7.2.11, 7.4.0-7.4.10, 7.6.0-7.6.5, 8.0.0-8.0.1 - OS Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-58034 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 18, 2025. EIP tracks 5 public exploits from researchers including lincemorado97, eagle-nett, lequoca, including a Metasploit module exploits/linux/http/fortinet_fortiweb_rce.

AI-analyzed exploit summary This repository contains a functional exploit for chaining CVE-2025-64446 (authentication bypass via relative path traversal) and CVE-2025-58034 (authenticated OS command injection) to achieve unauthenticated remote code execution on Fortinet FortiWeb appliances. The exploit creates an administrative account and then executes arbitrary commands as root.

Description

An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.

Exploits (5)

github WORKING POC 10 stars
by lincemorado97 · pythonpoc
https://github.com/lincemorado97/CVE-2025-64446_CVE-2025-58034

This repository contains a functional exploit for chaining CVE-2025-64446 (authentication bypass via relative path traversal) and CVE-2025-58034 (authenticated OS command injection) to achieve unauthenticated remote code execution on Fortinet FortiWeb appliances. The exploit creates an administrative account and then executes arbitrary commands as root.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Fortinet FortiWeb (versions 8.0.0-8.0.1, 7.6.0-7.6.5, 7.4.0-7.4.10, 7.2.0-7.2.11, 7.0.0-7.0.11)
No auth needed
Prerequisites: Network access to the target FortiWeb appliance · FortiWeb appliance running a vulnerable version
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WRITEUP
by eagle-nett · pythonpoc
https://github.com/eagle-nett/FORTIWEB_CVE-2025-64446-58034

This repository provides a detailed technical analysis of CVE-2025-64446 (authentication bypass via path traversal) and CVE-2025-58034 (OS command injection) in FortiWeb. It includes exploit payloads, affected versions, and mitigation steps, but lacks complete functional exploit code.

Classification
Writeup 90%
Attack Type
Auth Bypass | Rce
Complexity
Moderate
Reliability
Reliable
Target: FortiWeb (versions 8.0.0-8.0.1, 7.6.0-7.6.5, 7.4.0-7.4.10, 7.2.0-7.2.11, 7.0.0-7.0.11)
No auth needed
Prerequisites: Network access to FortiWeb management interface · Python environment for exploit execution
devstral-2 · analyzed May 01, 2026 Full analysis →
github WRITEUP
by lequoca · poc
https://github.com/lequoca/fortinet-fortiweb-cve-2025-64446-58034

This repository provides a detailed technical analysis of CVE-2025-64446 (authentication bypass via relative path traversal) and CVE-2025-58034 (OS command injection in Fortinet FortiWeb). It includes root cause analysis, affected versions, and exploitation steps but lacks functional exploit code.

Classification
Writeup 90%
Attack Type
Auth Bypass | Rce
Complexity
Moderate
Reliability
Theoretical
Target: Fortinet FortiWeb (versions 8.0.0-8.0.1, 7.6.0-7.6.5, 7.4.0-7.4.10, 7.2.0-7.2.11, 7.0.0-7.0.11)
No auth needed
Prerequisites: Network access to FortiWeb device · Knowledge of FortiWeb CLI for CVE-2025-58034
devstral-2 · analyzed Feb 19, 2026 Full analysis →
vulncheck_xdb WRITEUP
remote-auth
https://github.com/BaoSec/CVE-2025-64446-CVE-2025-58034-Research-and-Analysis

This repository provides a detailed technical analysis of CVE-2025-64446 (path traversal leading to admin account creation) and CVE-2025-58034 (command injection leading to RCE) in FortiWeb. It includes root cause analysis, exploit payloads, and screenshots but lacks functional exploit code.

Classification
Writeup 95%
Attack Type
Auth Bypass | Rce
Complexity
Moderate
Reliability
Theoretical
Target: FortiWeb (versions 7.0.0–8.0.1)
No auth needed
Prerequisites: network access to FortiWeb · knowledge of target IP/port
devstral-2 · analyzed Mar 03, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Defused, sfewer-r7 · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/fortinet_fortiweb_rce.rb

This Metasploit module exploits an authentication bypass (CVE-2025-64446) and command injection (CVE-2025-58034) in Fortinet FortiWeb to achieve unauthenticated RCE with root privileges. It creates a new admin account via path traversal and then leverages command injection for execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Fortinet FortiWeb (versions 8.0.0-8.0.1, 7.6.0-7.6.5, 7.4.0-7.4.10, 7.2.0-7.2.11, 7.0.0-7.0.11, and unsupported 6.x)
No auth needed
Prerequisites: Network access to FortiWeb management interface (typically TCP/443)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.2
EPSS 0.4574
EPSS Percentile 97.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-11-18
VulnCheck KEV 2025-11-18
ENISA EUVD EUVD-2025-198020
CWE
CWE-78
Status published
Products (1)
fortinet/fortiweb 7.0.0 - 7.0.12
Published Nov 18, 2025
KEV Added Nov 18, 2025
Tracked Since Feb 18, 2026