CISA Gives Government Agencies 7 Days to Patch New Fortinet Flaw CVE-2025-58034

Estimated reading time: 10 minutes

Key Takeaways:

  • CISA mandates U.S. government agencies to patch Fortinet’s FortiWeb vulnerability CVE-2025-58034 within one week.
  • CVE-2025-58034 is an OS command injection flaw being actively exploited in zero-day attacks.
  • Another FortiWeb flaw, CVE-2025-64446, is also under active exploitation, requiring immediate patching.
  • GreyNoise observed rapid weaponization of CVE-2025-64446, with attackers performing environment discovery and version validation.
  • PurpleOps offers services to help organizations address these Fortinet vulnerabilities, including threat intelligence and breach detection.

Table of Contents:

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive compelling U.S. government agencies to patch a newly identified vulnerability in Fortinet’s FortiWeb web application firewall within one week. This urgent action follows the discovery that the vulnerability, tracked as CVE-2025-58034, is being actively exploited in zero-day attacks.

CVE-2025-58034: A Deep Dive into the Fortinet Flaw

CVE-2025-58034 is classified as an OS command injection flaw (CWE-78). This vulnerability exists within FortiWeb and can be exploited by authenticated threat actors to achieve unauthorized code execution on the underlying system. The attack complexity is deemed low, and it does not require user interaction, making it a significant risk.

According to Fortinet’s advisory released on Tuesday, CVE-2025-58034 stems from *”An Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability [CWE-78] in FortiWeb. It may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.”*

CISA promptly added CVE-2025-58034 to its Known Exploited Vulnerabilities Catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies remediate the vulnerability by Tuesday, November 25th, as stipulated by Binding Operational Directive (BOD) 22-01.

CISA highlighted the critical nature of this flaw, stating, *”This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.”*

This urgency is compounded by the recent exploitation of another FortiWeb flaw, CVE-2025-64446, which was silently patched by Fortinet in late October. CISA noted, *”With recent and ongoing exploitation events [..], a reduced remediation timeframe of one week is recommended.”* The agency added CVE-2025-64446 to its catalog of actively exploited security flaws and ordered agencies to patch their systems by November 21st.

Unpacking CVE-2025-64446 and Its Exploitation

GreyNoise, a threat intelligence firm, has observed active exploitation of CVE-2025-64446, a critical path-traversal flaw that allows unauthenticated actors to execute administrative commands on Fortinet FortiWeb appliances. This vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on November 13th. Within 72 hours, GreyNoise’s honeypot network detected crafted requests targeting various FortiWeb versions (7.0-8.0).

The flaw resides in FortiWeb’s management API, which accepts a traversal string that can be manipulated to access the internal cgi-bin endpoint. An example of such a manipulated URL is:

/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi

Successful exploitation grants the attacker the ability to execute privileged operations. GreyNoise sensors first detected exploit traffic on November 17, 2025, indicating a rapid weaponization cycle.

GreyNoise observed eight distinct IP addresses probing with at least six different JA4T (TCP) fingerprints and two JA4H (HTTP) fingerprints. The TCP options (2-4-8-1-3) and overall stack profile suggest modern Linux-derived clients. The TLS handshakes were uniform, with the dominant JA3 fingerprint being 9b72665518dedb3531426284fdec8237, commonly associated with Python requests, libcurl-derived stacks, or Firefox-derived TLS libraries.

The infrastructure is spread across multiple hosting providers, including Flyservers, Clouvider, DigitalOcean, Kaopu Cloud, WorkTitans, InterHost, and HOSTKEY. This distribution suggests operators are seeking resilience and deniability.

User-agent strings indicate the use of various tools. Some nodes cycle through synthetically generated browser signatures, while others identify themselves as python-requests/2.25.1 or node.js. Some probes also include Log4Shell-style JNDI probes, suggesting opportunistic hunting beyond just FortiWeb.

GreyNoise’s analysis suggests the activity aligns with initial-access brokers and ransomware affiliate group patterns, including rapid adoption of high-value CVEs, large-scale scanning, multi-CVE probing, and a deliberately dispersed infrastructure.

Current activity is limited to environment discovery, version validation, traversal attempts, and occasional multi-port probes (443, 8443, 8080, 9443, 10443). No successful post-exploitation payloads have been captured in GreyNoise’s deception environments, but the attack surface allows for a *”scan now, exploit later”* approach.

Historical Exploitation of Fortinet Vulnerabilities

Fortinet vulnerabilities have a history of being exploited in cyber espionage and ransomware attacks. In August, Fortinet addressed a separate command injection vulnerability (CVE-2025-25256) in its FortiSIEM solution. Prior to that, a GreyNoise report highlighted a surge in brute-force attacks targeting Fortinet SSL VPNs.

Notably, in February, Fortinet disclosed that a Chinese hacking group, Volt Typhoon, exploited two FortiOS SSL VPN flaws to infiltrate a Dutch Ministry of Defence military network. This breach involved the use of a custom remote access trojan (RAT) known as Coathanger.

Practical Takeaways and Actionable Advice

Technical Readers:

  • Immediate Patching: Apply the latest Fortinet patches for FortiWeb without delay, especially if the management interface is exposed to the Internet.
  • Log Auditing: Scrutinize logs for traversal strings (../, %3f), unauthenticated POST requests to /api/v2.0/cmdb/, hits on /cgi-bin/fwbcgi, unusual user-agent diversity, or requests originating from known hosting providers used by malicious actors. Enable detailed logging and retain it for forensic use.
  • Network Segmentation: Implement strict network segmentation to isolate the management plane. Move the admin interface behind an allow-list, VPN, or bastion host. Keep it off the public Internet whenever possible.
  • Monitor for Exploitation: Utilize threat intelligence platforms to monitor for exploitation attempts and known malicious IP addresses targeting Fortinet systems. Consider using a PurpleOps Solutions to proactively identify and mitigate potential threats. Deploy real-time ransomware intelligence to detect and block ransomware attacks leveraging these vulnerabilities.

Non-Technical Readers:

  • Ensure Patching is Completed: Confirm that your IT department or managed service provider has applied the necessary patches to FortiWeb systems.
  • Review Security Policies: Review and update security policies to ensure they align with current threat intelligence. Pay special attention to access control policies for FortiWeb management interfaces.
  • Enhance Security Awareness: Educate employees about the risks associated with OS command injection vulnerabilities and the importance of reporting suspicious activity.
  • Implement Multi-Factor Authentication (MFA): Enforce MFA for all administrative access to FortiWeb systems and other critical infrastructure.
  • Verify Logging and Monitoring: Confirm that adequate logging and monitoring are in place to detect and respond to potential security incidents.

PurpleOps and Fortinet Vulnerabilities

PurpleOps provides a suite of cybersecurity services that can assist organizations in addressing vulnerabilities like CVE-2025-58034 and CVE-2025-64446. Our services include:

  • Cyber Threat Intelligence Platform: PurpleOps offers a comprehensive PurpleOps Solutions that provides real-time insights into emerging threats, including those targeting Fortinet products. This platform can help organizations proactively identify and mitigate potential risks. Our cyber threat intelligence platform includes dark web monitoring service capabilities, searching for mentions of your company and infrastructure in underground forums to provide a holistic risk management solution.
  • Breach Detection: PurpleOps’ breach detection services can help organizations identify and respond to security incidents resulting from the exploitation of vulnerabilities.
  • Supply-Chain Risk Monitoring: PurpleOps can assist with supply-chain risk monitoring by identifying and assessing risks associated with third-party vendors, including those using vulnerable Fortinet products.
  • Underground Forum Intelligence: PurpleOps provides PurpleOps Solutions to identify discussions and plans related to the exploitation of Fortinet vulnerabilities. This can provide early warning of potential attacks. Telegram threat monitoring can also provide early warning of threat actors discussing such exploits.
  • Brand Leak Alerting: PurpleOps monitors for brand leaks on the dark web and other online sources, which can indicate a compromised system or data breach.

Call to Action

To learn more about how PurpleOps can help your organization address Fortinet vulnerabilities and enhance your overall cybersecurity posture, please explore our services at PurpleOps Solutions. For tailored solutions or specific inquiries, contact us directly at https://www.purple-ops.io/platform/.

FAQ

Q: What is CVE-2025-58034?

A: CVE-2025-58034 is an OS command injection vulnerability in Fortinet’s FortiWeb web application firewall that allows authenticated attackers to execute unauthorized code on the underlying system.

Q: What is CVE-2025-64446?

A: CVE-2025-64446 is a critical path-traversal flaw in Fortinet FortiWeb that allows unauthenticated actors to execute administrative commands.

Q: What actions should I take?

A: Immediately apply the latest Fortinet patches for FortiWeb, scrutinize logs for suspicious activity, implement network segmentation, and monitor for exploitation attempts.

Q: How can PurpleOps help?

A: PurpleOps offers a cyber threat intelligence platform, breach detection services, supply-chain risk monitoring, and underground forum intelligence to help organizations address Fortinet vulnerabilities.