Fortinet reports two critical vulnerabilities in FortiWeb within a few days. According to Fortinet, there is no connection between them.
Fortinet faces double trouble with vulnerabilities in FortiWeb, a firewall solution for web applications and APIs. On Tuesday, Fortinet reported vulnerability CVE-2025-58034, CWE-78 in the company’s own classification. This vulnerability allows attackers to execute unauthorized code using special HTTP requests or CLI commands. Fortinet credits competitor Trend Micro for the discovery.
Tuesday’s report follows just a few days after the report of another vulnerability, CVE-2025-64446 or CWE-23. This allows unauthenticated attackers to execute admin commands and take over vulnerable devices. Although the vulnerability had been known for a month, Fortinet only admitted on Friday that attackers are actively exploiting it.
This makes two actively exploited vulnerabilities in the same Fortinet application. However, the solution is the same: upgrade to the latest supported versions of FortiWeb. These versions address the vulnerabilities:
- FortiWeb 8.0.2
- FortiWeb 7.6.6
- FortiWeb 7.4.11
- FortiWeb 7.2.12
- FortiWeb 7.0.12
No Connection, or is there?
It seems no coincidence that two vulnerabilities in the same application emerge in a short time. Yet Fortinet claims there is no connection. Experts from other security vendors doubt this, as the first vulnerability seems to aid in exploiting the second.
“Our research discovered a vulnerability in FortiWeb while investigating an older issue in the same product. We found that authenticated users could execute system commands via the web interface, putting customers at risk of attackers taking control of the device and penetrating deeper into the network if patches are not applied,” says discoverer Trend Micro to The Register.
Rapid7 also seems skeptical of coincidence in its analysis. “Both vulnerabilities were patched simultaneously by Fortinet without prior disclosure. It is useful to link an authentication bypass to an authenticated command injection. This makes it very likely that these two vulnerabilities form an exploit chain for unauthenticated remote code execution on vulnerable FortiWeb devices.”