CISA adds command code injection vulnerability in Fortinet FortiWeb OS to catalog

The Cybersecurity and Infrastructure Security Agency has incorporated a new vulnerability affecting Fortinet FortiWeb Operating System (OS) into its Known Exploited Vulnerabilities (KEV) Catalog, describing a command code injection flaw. This vulnerability represents a pathway for unauthorized command execution within the system.

Identified as CVE-2025-58034, this issue impacts certain versions of the FortiWeb OS. The flaw is located in the command code processing functionality, allowing exploitation under specific conditions detailed in the advisory. Additional context highlights distinctions related to this and previously reported flaws in the FortiWeb product line.

The vulnerability's exploitation has been observed in ongoing attack campaigns, posing risks to systems employing vulnerable configurations. Such exploitation could result in unauthorized control of system commands.

Fixes addressing this vulnerability have been released by Fortinet, with a recommended remediation window narrowed to one week based on recent exploitation activity. Guidance includes relevant Binding Operational Directives targeting system exposures via internet-facing management interfaces to manage and reduce potential attack surfaces.

The advisory mentions compliance mandates under Binding Operational Directive (BOD) 22-01 applicable to Federal Civilian Executive Branch agencies, which dictate timelines for vulnerability remediation to defend networks against active threats. It encourages all organizations, not only federal entities, to prioritize remediation efforts for vulnerabilities listed in the KEV Catalog to mitigate exposure to cyber threats.