Fortinet Discloses Second Exploited FortiWeb Zero-Day in a Week

Fortinet on Tuesday announced patches for 17 vulnerabilities, including a zero-day resolved with the latest FortiWeb updates.

Tracked as CVE-2025-58034 (CVSS score of 6.7), the bug is described as an OS command injection issue that can be exploited by authenticated attackers to execute arbitrary code on the underlying system, via crafted HTTP requests or CLI commands.

“Fortinet has observed this to be exploited in the wild,” the vendor notes in its advisory, without providing details on the attacks.

This is the second FortiWeb zero-day publicly disclosed within a week, after the company confirmed on November 14 that CVE-2025-64446 (CVSS score of 9.1), a critical-severity path traversal issue, had been targeted in attacks.

Fortinet patched both exploited vulnerabilities in FortiWeb versions 8.0.2, 7.6.6, 7.4.11, 7.2.12, and 7.0.12. Users should update their deployments as soon as possible.

Simultaneously with Fortinet ...