CVE-2025-58034

HIGH KEV

Fortinet Fortiweb < 7.0.12 - OS Command Injection

Title source: rule

Description

An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.5, FortiWeb 7.4.0 through 7.4.10, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.

Exploits (5)

github WORKING POC 10 stars

by lincemorado97 · pythonpoc

https://github.com/lincemorado97/CVE-2025-64446_CVE-2025-58034

View Code ZIP pw:eip

github WRITEUP

by lequoca · poc

https://github.com/lequoca/fortinet-fortiweb-cve-2025-64446-58034

View Code ZIP pw:eip

vulncheck_xdb WRITEUP

remote-auth

https://github.com/BaoSec/CVE-2025-64446-CVE-2025-58034-Research-and-Analysis

View Code ZIP pw:eip

vulncheck_xdb

remote

https://github.com/Ashwesker/Blackash-CVE-2025-58034

View on vulncheck_xdb

metasploit WORKING POC EXCELLENT

by Defused, sfewer-r7 · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/fortinet_fortiweb_rce.rb

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://fortiguard.fortinet.com/psirt/FG-IR-25-513

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58034

Scores

CVSS v3 7.2

EPSS 0.3733

EPSS Percentile 97.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2025-11-18

VulnCheck KEV 2025-11-18

ENISA EUVD EUVD-2025-198020

CWE

CWE-78

Status published

Products (1)

fortinet/fortiweb 7.0.0 - 7.0.12

Published Nov 18, 2025

KEV Added Nov 18, 2025

Tracked Since Feb 18, 2026